Source: Process started | Author: Florian Roth: Data: Command: C:\Windows\splwow64.exe 12288, CommandLine: C:\Windows\splwow64.exe 12288, CommandLine|base64offset|contains: m, Image: C:\Windows\splwow64.exe, NewProcessName: C:\Windows\splwow64.exe, OriginalFileName: C:\Windows\splwow64.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o '', ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 7048, ProcessCommandLine: C:\Windows\splwow64.exe 12288, ProcessId: 6660 |
Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD, CommandLine: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /n 'C:\Users\user\Downloads\1019_4033561623981.doc' /o '', ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 7048, ProcessCommandLine: rundll32.exe c:\users\user\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD, ProcessId: 6212 |
Source: http://newnucapi.com/8/forum.php | Avira URL Cloud: Label: malware |
Source: 11.2.rundll32.exe.65220000.0.unpack | Avira: Label: TR/Hijacker.Gen |
Source: Yara match | File source: 11.3.rundll32.exe.13b3d4c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.rundll32.exe.65220000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0000000B.00000003.387311451.00000000013B0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.579491248.0000000065223000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6212, type: MEMORYSTR |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 11_2_65222131 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext, | 11_2_65222131 |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe | File created: C:\Users\user\AppData\Local\Temp\6768_1037701863\LICENSE.txt | Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe | Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries | Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe | Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic | Jump to behavior |
Source: | Binary string: c:\clothe\923\Sight\Captain\Sell\cool.pdb source: rundll32.exe, 0000000B.00000002.579536725.0000000065261000.00000002.00020000.sdmp, gelfor.dap.6.dr |
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE | Process created: C:\Windows\SysWOW64\rundll32.exe |
Source: Traffic | Snort IDS: 2034127 ET TROJAN Tordal/Hancitor/Chanitor Checkin 192.168.2.3:49800 -> 95.47.161.27:80 |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: newnucapi.com | |
Source: C:\Windows\SysWOW64\rundll32.exe | Network Connect: 95.47.161.27 80 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: api.ipify.org | |
Source: C:\Windows\SysWOW64\rundll32.exe | Network Connect: 54.243.41.12 80 | Jump to behavior |
Source: unknown | Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown | Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49786 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown | Network traffic detected: HTTP traffic on port 49727 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown | Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown | Network traffic detected: HTTP traffic on port 49753 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown | Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49724 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49728 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49729 |
Source: unknown | Network traffic detected: HTTP traffic on port 49752 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49728 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49727 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49726 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49725 |
Source: unknown | Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49724 |
Source: unknown | Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49723 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49722 |
Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49686 |
Source: unknown | Network traffic detected: HTTP traffic on port 49693 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49725 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49729 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49722 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown | Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49678 |
Source: unknown | Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49677 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49753 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49752 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown | Network traffic detected: HTTP traffic on port 49677 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49750 |
Source: unknown | Network traffic detected: HTTP traffic on port 49694 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49726 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49786 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49723 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49750 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown | Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Oct 2021 18:48:41 GMTServer: ApacheX-Powered-By: PHP/7.3.30Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingContent-Encoding: gzipContent-Length: 440Keep-Alive: timeout=5, max=100Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 85 53 cb 4e c3 30 10 bc f7 2b 96 08 11 bb 2d 69 e1 c0 c5 0d 5c 10 88 03 e2 40 4f 20 40 51 b2 6d 23 1c 3b 8a 1d 40 3c fe 9d 75 ea 3c 5a 21 91 43 2c 7b 67 67 67 c6 c9 c2 a4 55 5e da f3 d1 08 e8 91 68 21 83 18 8e 15 be c3 65 62 91 f1 68 8d 76 99 17 f8 a9 15 de ad 56 06 2d e3 a2 03 2b 02 df 28 2b 23 07 76 b0 2b 5d 15 09 41 a2 0a 8d 96 6f 98 dd 95 36 d7 ca d0 89 a5 f2 03 b1 88 ed ac 55 ad 52 57 02 a2 7c 49 b5 7e cd 11 98 4a 0a 9c c2 5b 22 6b 5a 8a 5c d5 16 0d 87 af a6 01 c0 2f 5e 27 4d a4 e9 bd 52 d1 95 5d 29 32 5b dd ac d9 78 13 8c c3 04 98 e7 85 31 9c cd e9 75 32 9f cf f9 a0 7b 67 0a 7e 94 39 59 a1 41 41 f0 07 24 5f 75 74 bc 3b 74 cf a0 4f b4 9b 38 98 34 62 ac be be 5d de db 2a 57 eb a1 ea 1d e2 4c a7 75 81 ca 46 3e 19 32 4a d1 90 fa 20 0e e8 8d 26 4d 4a ca ab 49 ca 99 f2 23 26 81 28 13 bb 89 67 34 d5 b3 fd ec c5 bd 1e c4 bd 5d 5f 1c 75 9f b2 b3 4d 54 b5 b4 4e fe 9e 90 88 6e 37 dd 00 0b d9 f3 b7 e0 70 11 d2 ec 01 0b ed c2 98 3d 3e 8b a7 31 67 e2 fb 90 87 ad c1 51 1f 98 27 ef 03 ab d0 d6 95 02 56 ab d6 97 87 3c 9e 3e f5 37 83 d2 e0 7e 8b aa a5 14 43 9b 8e ff a0 b7 c8 c2 2c e4 70 74 04 3b 67 2a e4 bd 5d 18 7c 80 0e 3e 85 6c 0a a7 83 7b 31 3b 9d 53 50 db 72 57 9f cd da 8c 20 02 a9 d3 a4 89 39 22 89 52 27 59 7b c3 5e df 62 e6 7f b8 85 5f ff e9 ed f0 bf 8b e8 87 25 a9 03 00 00 Data Ascii: SN0+-i\@O @Qm#;@<u<Z!C,{gggU^h!ebhvV-+(+#v+]Ao6URW|I~J["kZ\/^'MR])2[x1u2{g~9YAA$_ut;tO84b]*WLuF>2J &MJI#&(g4]_uMTNn7p=>1gQ'V<>7~C,pt;g*]|>l{1;SPrW 9"R'Y{^b_% |
Source: global traffic | HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Oct 2021 18:48:41 GMTServer: ApacheX-Powered-By: PHP/7.3.30Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 548Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 6d 53 5d 4f db 30 14 7d ef af b8 8b b6 c6 a1 25 49 33 51 c1 d2 80 10 55 11 d2 18 93 c6 d3 10 20 2b b9 6d 2d 1c 3b 4b 9c b2 0f f6 df 77 dd a6 4d 5a 2d 0f b6 7c 3f ce 3d e7 38 9e 54 69 29 0a 73 de eb 01 7d 12 0d 64 90 c0 b1 c2 57 98 72 83 cc f3 17 68 ee 45 8e bf b5 c2 bb f9 bc 42 c3 bc 78 57 ac a8 f8 46 19 e9 db 62 5b 36 d3 65 ce a9 c4 2f b1 d2 72 85 d9 5d 61 84 56 15 45 0c a5 bf 13 4a bc 99 35 af 55 6a 53 40 90 cf a9 d6 2f 02 81 29 9e e3 10 56 5c d6 b4 e5 42 d5 06 2b 0f fe ac 1b 00 9a ad e1 49 13 69 7a cb 34 de a5 6d ca af 36 bc d9 fa d0 88 60 1e 0c 80 35 b8 70 04 e3 90 96 51 18 86 5e a7 7b 6f 0a fe 2c 04 49 a1 41 8e f3 9f 12 31 df c1 79 bb a0 fd 3a 7d f1 f6 90 38 83 35 19 a3 af 6f ef bf 99 52 a8 45 97 f5 1e 70 a6 d3 3a 47 65 fc c6 19 12 4a d6 10 7b 27 71 68 c5 2a e5 05 f9 b5 76 ca 8a 6a 46 0c 9c b8 e0 66 99 04 34 b5 41 fb 7b 60 f7 a2 63 f7 66 7f b6 d0 ad cb 56 36 41 d5 d2 58 fa 07 44 7c ba dd 74 09 cc 65 4f 6f b1 07 17 2e cd ee a0 d0 c9 4d d8 c3 53 fc 78 e4 b1 f8 ed bd e7 6e 05 f6 5a c3 1a f0 d6 b0 12 4d 5d 2a 60 b5 da ea 6a 4a 1e a2 c7 f6 66 50 56 78 d8 a2 6a 29 e3 ae 4c 8b ff ae 95 c8 dc cc f5 a0 df 87 bd 98 72 bd 56 2e 74 7e 40 5b 3e 84 6c 08 51 e7 5e aa bd ce 21 a8 4d 7a 97 0f 82 ad 47 e0 83 d4 29 5f db ec 13 45 a9 79 b6 bd e1 86 df 24 68 1e dc 24 47 c3 61 69 4c 71 8c 3f 6a b1 4a dc 12 e7 24 7b e9 92 9f ca 10 5a e2 86 71 5d ca c4 d6 54 9f 82 80 9e 4e 56 8a 15 fa d2 2e a9 ce 69 ee ab b2 33 2e 52 91 25 e1 74 76 72 36 1b 9d 5d 5d 4e 3f 9e 46 d1 ac 4f 60 14 3e 88 7e 88 46 a3 d1 49 9f d7 66 f9 82 bf 92 cb 2f b3 fc f4 eb f8 33 bf be bd 19 57 ba 8f 79 12 b9 e7 bd 7f 72 fe 6c 4f 16 04 00 00 Data Ascii: mS]O0}%I3QU +m-;KwMZ-|?=8Ti)s}dWrhEBxWFb[6e/r]aVEJ5UjS@/)V\B+Iiz4m6`5pQ^{o,IA1y:}85oREp:GeJ{'qh*vjFf4A{`cfV6AXD|teOo.MSxnZM]*`jJfPVxj)LrV.t~@[>lQ^!MzG)_Ey$h$GaiLq?jJ${Zq]TNV.i3.R%tvr6]]N?FO`>~FIf/3WyrlO |
Source: global traffic | HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Oct 2021 18:48:42 GMTServer: ApacheX-Powered-By: PHP/7.3.30Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 2663Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1a 6d 6f db b8 f9 73 f2 2b 18 35 98 6d 2c 92 ec eb ba 6b 1b db 43 9a 7a bd 0c 69 1b d4 c5 0d 87 20 38 d0 12 2d b1 a1 44 1d 49 d9 09 ba fc f7 3d a4 24 db 92 25 db c9 92 a0 07 cc c8 8b 45 3e ef 6f 7c 28 b2 7f f0 fe f3 e9 d7 df 2e 46 28 54 11 1b ee f7 0f 6c fb 92 4e d1 d9 08 bd be 1a a2 be 1e 45 0c c7 c1 c0 22 b1 85 3c 86 a5 1c 58 94 bc b6 60 f2 e0 92 c4 3e 9d 5e d9 f6 12 f1 e0 6c 74 35 d4 0f 30 54 46 ce 60 4a 48 fb 00 43 b0 3f dc df eb 47 44 61 e4 85 58 48 a2 06 56 aa a6 f6 6b 0b b9 7a 46 51 c5 c8 f0 7d ca 42 fc 01 e6 d1 38 e4 73 c1 79 84 fe 83 ce 79 40 63 74 81 03 d2 77 33 b0 05 25 1e 2b 12 03 a5 39 f5 55 38 f0 c9 8c 7a c4 36 0f 47 88 c6 54 51 cc 6c e9 61 46 06 3d a7 7b 84 22 7c 43 a3 34 5a 1d 4a 25 11 e6 19 4f 60 28 e6 16 8a 71 44 06 d6 8c 92 79 c2 85 ca c5 2b b3 3b 89 25 16 14 fd 1b 2b 2f 44 bf 70 a0 51 a0 f9 44 7a 82 26 8a f2 f8 9e 98 38 55 21 17 19 12 a0 81 11 d1 60 ed 83 de 8d 3e 9c 7d 42 ef 4e c6 23 74 3a 1e a3 f1 d7 df ce 47 75 70 da ee 7b 7d 46 e3 6b 14 0a 32 1d 58 a1 52 c9 5b d7 9d 82 20 d2 09 38 0f 18 c1 09 95 8e c7 23 d7 93 f2 1f 53 1c 51 76 3b f8 9c 90 f8 af 63 1c cb b7 2f bb dd a3 bf c1 ef df e1 f7 e7 6e d7 42 82 b0 81 25 d5 2d 23 32 24 44 59 15 06 10 32 44 49 37 61 29 78 4b ba df fe 48 89 b8 b5 53 ea aa 90 44 44 ba 13 2c 89 1b 81 53 a6 94 f8 cb 69 07 86 1c 10 60 9d 7e 66 be 66 0e 13 ce 95 54 02 27 5a fe e5 d3 c3 09 6a db d8 78 4e 24 8f 88 a1 b9 3a 70 7f b2 9a 02 8e 69 84 d5 03 91 0d d8 ff 80 6a 0b 22 13 1e 4b 3a 7b 20 15 e3 39 d7 27 53 9c 32 d5 80 4e fd 81 65 e0 72 4a 0d 71 3b fa f4 7e d7 a8 dd 29 f8 ff 35 6e 8e fa 2c 03 91 14 de 9a 8b 13 ec 11 f3 c7 18 e4 9b b4 86 7d 37 03 df 45 f6 66 a6 7d 37 ab 70 fd 09 f7 6f 8b fa a9 f9 d8 8a 27 68 12 d8 f3 90 2a 62 15 4c 26 44 57 b4 17 09 94 34 9b 71 ec 13 91 8b ee d3 99 b1 e8 ca cc a2 1c 4f e1 09 8a 1a 88 2c 13 1c 17 a3 32 a1 71 0c 50 5a 11 18 86 7f 40 a3 e0 03 35 b8 86 4b 8d 10 ba 3e 61 1a d7 cb b1 98 2c 89 a2 95 41 f0 59 a1 c5 4c a1 d6 14 50 fe 31 84 72 a4 6c d6 fc 85 12 ad 42 3b 26 73 69 4f 09 f1 ad 25 42 85 e2 02 a4 44 b5 4a b9 89 50 2d 1c 24 64 40 6a 00 0d 30 8d 82 52 dc c0 b3 9b 49 3c 09 5c 99 2f 49 ce b7 24 b0 90 8f 15 b6 b5 8d b2 79 8f cf 60 21 c9 88 23 cc a0 d4 9b 84 58 e3 90 b9 67 db 50 e1 bc 0d f |