Analysis Report Documents_111651917_375818984.xls

Overview

General Information

Sample Name: Documents_111651917_375818984.xls
Analysis ID: 403285
MD5: 72526a505496a9b7da9a6c9651dbda5e
SHA1: 84cf963666314eee0d8ad1ef09e5462a66e3ccbf
SHA256: 3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects a PE file into a foreign processes
Office process drops PE file
Sample uses process hollowing technique
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.64.132:443 -> 192.168.2.4:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.222.240.99:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.163.9.216:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: Binary string: dnsapi.pdbUGP source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: wininet.pdb source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source: Binary string: bcrypt.pdb source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: msi.pdbUGP source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: ole32.pdbUGP source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr
Source: Binary string: ole32.pdb source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: advapi32.pdb source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: msi.pdb source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdbUGP source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: Binary string: bcrypt.pdbGCTL source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbUGP source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: netapi32.pdb source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbUGP source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: netapi32.pdbUGP source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: wininet.pdbUGP source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: shell32.pdbUGP source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdb source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67335D36 FindFirstFileExW, 1_2_67335D36

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: vegas[1].dll.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: otusmail.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49709 -> 104.21.64.132:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49709 -> 104.21.64.132:443

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown TCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknown DNS traffic detected: queries for: otusmail.com
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp String found in binary or memory: http://.css
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp String found in binary or memory: http://.jpg
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp, cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.1.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp, rundll32.exe, 00000001.00000003.781100347.0000000004FA6000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?54c45430557b4
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrl1.3.6.1.4.1.311.2.4.
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp String found in binary or memory: http://html4/loose.dtd
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.accv.es00
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.anf.es
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://%s/%s/%sendcahttps://%s.pinrules.crt/%sRetrieveValidatestaple:OcspGetOcspPostOcspFailoverExp
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/U
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/gO~
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/hOg
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/qOh
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/update/info
Source: rundll32.exe, 00000001.00000003.801717651.00000000030BE000.00000004.00000001.sdmp String found in binary or memory: https://18.222.240.99/update/infoy
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp String found in binary or memory: https://18.222.240.99/versal
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp String found in binary or memory: https://HTTP/1.1
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 104.21.64.132:443 -> 192.168.2.4:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.222.240.99:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.163.9.216:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet 13 ' k 14 0 Protected
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc
Source: Screenshot number: 8 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Screenshot number: 8 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start c'the decryption of the docume
Found Excel 4.0 Macro with suspicious formulas
Source: Documents_111651917_375818984.xls Initial sample: EXEC
Source: Documents_111651917_375818984.xls Initial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheet
Source: Documents_111651917_375818984.xls Initial sample: Sheet size: 4672
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67328FD4 NtQueryInformationProcess, 1_2_67328FD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67329272 CreateProcessA,NtUnmapViewOfSection, 1_2_67329272
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6732353B 1_2_6732353B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6732F5B3 1_2_6732F5B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67331580 1_2_67331580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6733A4E1 1_2_6733A4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67387C26 1_2_67387C26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6738B44E 1_2_6738B44E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6739798C 1_2_6739798C
Document contains embedded VBA macros
Source: Documents_111651917_375818984.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Source: Joe Sandbox View Dropped File: C:\Users\user\bsdnbsej.dbw 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6732ACF0 appears 34 times
Yara signature match
Source: Documents_111651917_375818984.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp Binary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Source: classification engine Classification label: mal100.expl.evad.winXLS@5/13@1/3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29779F63.emf Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{4e207749-963e-4384-8e88-b716f4ea4ff2}
Source: C:\Windows\SysWOW64\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{809d51db-050d-477f-a665-11706e16a8a0}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{006DB4C5-B21C-4B55-8F31-0A3839BFD91D} - OProcSessId.dat Jump to behavior
Source: Documents_111651917_375818984.xls OLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: dnsapi.pdbUGP source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: wininet.pdb source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source: Binary string: bcrypt.pdb source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: msi.pdbUGP source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: ole32.pdbUGP source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr
Source: Binary string: ole32.pdb source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: advapi32.pdb source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: msi.pdb source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdbUGP source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: Binary string: bcrypt.pdbGCTL source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbUGP source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: netapi32.pdb source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbUGP source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: netapi32.pdbUGP source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: wininet.pdbUGP source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: shell32.pdbUGP source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdb source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6733AC21 push ecx; ret 1_2_6733AC34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6734D7A9 push esi; iretd 1_2_6734D7D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_673896ED push ecx; ret 1_2_67389700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6734C6D1 push cs; retn 0000h 1_2_6734C6D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6734EEC4 push es; iretd 1_2_6734EEC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6734CAEC push ebx; ret 1_2_6734CAF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6734E143 push ecx; iretd 1_2_6734E144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_673A069F push dword ptr [edi]; iretd 1_2_673A06A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_673A2992 push edi; ret 1_2_673A29F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_673A1CCC push edx; iretd 1_2_673A1CD7

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 245481 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 248977 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 308250 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 276112 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 453874 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 564679 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 198282 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 295626 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 465541 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -245481s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -248977s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -308250s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -276112s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -84184s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -453874s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -59831s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -564679s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -51978s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -198282s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -295626s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -58419s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -465541s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -102944s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796 Thread sleep time: -55018s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67335D36 FindFirstFileExW, 1_2_67335D36
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 245481 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 248977 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 308250 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 276112 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 84184 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 453874 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 59831 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 564679 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 51978 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 198282 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 295626 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 58419 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 465541 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 102944 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread delayed: delay time: 55018 Jump to behavior
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_673337A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_673337A2
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67332A8C mov eax, dword ptr fs:[00000030h] 1_2_67332A8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67335960 mov eax, dword ptr fs:[00000030h] 1_2_67335960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6739FEC2 mov eax, dword ptr fs:[00000030h] 1_2_6739FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6739FDF8 mov eax, dword ptr fs:[00000030h] 1_2_6739FDF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6739F9FF push dword ptr fs:[00000030h] 1_2_6739F9FF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_67323E56 __EH_prolog3_GS,__fassign,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,__fassign,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree, 1_2_67323E56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_673337A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_673337A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6732A7E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6732A7E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6732A9E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6732A9E4

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 18.222.240.99 187 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 11D0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D0000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\rundll32.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11FF000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 120A000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 120C000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 120D000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1011 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1068 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D106C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1072 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D107C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1082 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1087 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1091 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1097 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D109B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D10FC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1100 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1106 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1110 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1116 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D111B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1125 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D112B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D112F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1184 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1188 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D118E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1198 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D119E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D11A3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D11AD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D11B3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D11B7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1210 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1214 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D121A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1224 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D122A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D122F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1239 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D123F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1243 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12CB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12CF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12D6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12E6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12EB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12F5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12FB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D12FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1350 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1354 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D135A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1364 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D136A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D136F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1379 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D137F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1383 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D141B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D141F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1426 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1430 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1436 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D143B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1445 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D144B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D144F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14A4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14A8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14AE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14B8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14BE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14C3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14CD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14D3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D14D7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1538 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D153C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1542 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D154C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1552 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1557 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1561 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1567 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D156B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15C8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15CC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15D2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15DC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15E2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15E7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15F1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15F7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D15FB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1616 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1623 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1641 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D164C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D16FA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1700 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1706 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D179A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D17A0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D17A6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D193E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1944 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D194A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D197A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A31 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A36 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A3C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A4B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A54 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1AE0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1B30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1BFD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1C03 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1C09 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1E19 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1E1F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D1E60 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2125 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D212B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2131 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D220A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2210 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2216 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D22C0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D22C6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D22CC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2375 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D237B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2381 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D243C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2442 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2448 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D25A7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D25DC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2601 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2607 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2677 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D267D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D26CB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D26D2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D26DB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D26FE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2704 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D276D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2773 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D27C0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D27C6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D280A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2847 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D284D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D28A0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D28A6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D28EA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D290D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2913 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2980 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2986 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D29CA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D29E9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A09 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A0F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A78 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A7E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2ACF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2AF2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2AF8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2B62 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2B68 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BAC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BC0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BCE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BF3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BF9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2C3B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2C65 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2C6B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2CAF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2CD2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2CD8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2D41 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2D47 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2D8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2DAE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2DB4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2DF5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E20 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E26 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E6A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E93 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2EFD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F03 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F47 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F6A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2FB4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2FD5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D2FDB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3044 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D304A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3098 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30AC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30B3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30B8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30C3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30CC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30E7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D30ED Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3131 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3154 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D315A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D319C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D31B7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D31BD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3201 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3224 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D322A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D326C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3287 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D328D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D32E4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D32EA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D332C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3347 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D334D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3399 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D339F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D33F0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D33F4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D33F8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D33FC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3400 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3404 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3408 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D340C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3410 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D34A7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D34AD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3501 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D356A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D35D2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D35E6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3607 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3613 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3630 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D36A9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D36FD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3704 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3715 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3723 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D372A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D37F9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3856 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D38EA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D394A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D39D6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A13 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A1A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A40 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A46 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A52 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A97 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3AB9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3ACD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3AD8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B07 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B10 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B3A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3C1F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3C5A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3D6C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3DAE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3DB8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3E9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3F9F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D3FAE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4077 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D407D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4168 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D418E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D419A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D41B6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4260 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D42C8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D42F8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4300 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D432B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4333 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4369 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D43AB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D43E1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D43FA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4400 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D443A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D45E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4637 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D481B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D48C5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D48CC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D48F7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4A6A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B21 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B28 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B5A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4D46 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4D90 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DCF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DDC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DE3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DFB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4E6D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4EB9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4EC6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4ECD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4EE4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F31 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F49 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F7E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F90 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D508A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5099 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D50A0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5135 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D517A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5197 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D51E3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D51EE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5266 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D529B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D52AE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D52EA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D52F5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D532A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D53E7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5580 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5587 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D55EE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D55F5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5616 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D561D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5678 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D567F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D56E3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D56F8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5747 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5759 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D57FD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5818 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D58D7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D58DE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D58F9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5905 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5913 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5969 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5981 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D598C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5993 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D59B3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5A22 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5A6A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5B33 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5BD2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5BEB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5BF2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C0B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C40 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C78 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5E3F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FA2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FA9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FC9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FD0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6137 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6194 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D61A1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6200 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6207 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6225 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D622C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6267 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D62E3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6358 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D635F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D63DD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D63E4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D640A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6411 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D644A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D64FD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D65A1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D65A8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D66B8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D66BF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D66DA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D66E7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D66EE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D66FD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6724 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6798 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D67A6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D67C8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D67D7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D67FA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6940 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D694D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6954 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D696B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D69A8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6A5D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6A64 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6B68 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6B6F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6BF5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C09 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C1B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C4E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CAF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CBD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CDF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CEE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D07 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D87 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D9F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6DB8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6DD7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6DDE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6EAB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6EB2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6ED8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6EFD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6F04 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FAC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FB9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FC0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FD2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D70A9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D70B9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D70DC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D70E8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D711A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D71D8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D71E8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D71EF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7200 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7219 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7238 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D723F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D730B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7312 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7338 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D735D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7364 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D748E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D749B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D74A2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D74B7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D759F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D75AF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D75D2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D75DE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7606 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D760B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D761A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D76BA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D76C0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7771 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7777 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7807 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7816 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7873 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D78D0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D78DF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D78F1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7905 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D79B7 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D79C6 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D79E1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D79E8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7A07 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7A85 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7AA3 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7AB1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7AB8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7C5A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11D7C68 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp, cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp Binary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp Binary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp Binary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6732AB0A cpuid 1_2_6732AB0A
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 1_2_67394633
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_67393A08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_67393A74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 1_2_6738FABC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 1_2_673940E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6732AD36 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6732AD36
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403285 Sample: Documents_111651917_375818984.xls Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 29 Document exploit detected (drops PE files) 2->29 31 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->31 33 Drops PE files to the user root directory 2->33 35 4 other signatures 2->35 7 EXCEL.EXE 23 43 2->7         started        process3 dnsIp4 25 otusmail.com 104.21.64.132, 443, 49709 CLOUDFLARENETUS United States 7->25 19 C:\Users\user\bsdnbsej.dbw, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\vegas[1].dll, PE32 7->21 dropped 37 Document exploit detected (creates forbidden files) 7->37 39 Document exploit detected (UrlDownloadToFile) 7->39 12 rundll32.exe 15 7->12         started        file5 signatures6 process7 dnsIp8 27 18.222.240.99, 443, 49735, 49738 AMAZON-02US United States 12->27 41 System process connects to network (likely due to code injection or exploit) 12->41 43 Writes to foreign memory regions 12->43 45 Allocates memory in foreign processes 12->45 47 2 other signatures 12->47 16 cmd.exe 17 12->16         started        signatures9 process10 dnsIp11 23 54.163.9.216, 443, 49739, 49740 AMAZON-AESUS United States 16->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.64.132
 otusmail.com United States
13335 CLOUDFLARENETUS false
18.222.240.99
 unknown United States
16509 AMAZON-02US true
54.163.9.216
 unknown United States
14618 AMAZON-AESUS false

Contacted Domains

Name IP Active
otusmail.com 104.21.64.132 true