Edit tour

Windows Analysis Report
fqJIOoSp5U.dll

Overview

General Information

Sample name:	fqJIOoSp5U.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a.exe
Analysis ID:	1404636
MD5:	d8a8cc25bf5ef5b96ff7a64f663cbd29
SHA1:	d1e5e29c162566ce1d8a3d9c1a758fdbfef74174
SHA256:	aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execute DLL with spoofed extension

System process connects to network (likely due to code injection or exploit)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 4236 cmdline: loaddll64.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5424 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 3696 cmdline: rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 880 cmdline: rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSum MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6444 cmdline: rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSumW MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5916 cmdline: rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",CalculateSum MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7144 cmdline: rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",CalculateSumW MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2052 cmdline: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6804 cmdline: RUNDLL32.exe C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555 MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555, CommandLine: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555, CommandLine|base64offset|contains: y, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555, ProcessId: 2052, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fqJIOoSp5U.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://91.206.178.125/upload/upload.aspIV	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspjT	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspi	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspEV	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp5/upload/upload.asp	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspQV	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspLz	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp.TM	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspXz	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspOV	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspParameters	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asphttp://91.206.17	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspx	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp5029	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspXV	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp:TQ	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspEz	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp$TK	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspBV	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp(TG	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspsk	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/Sn	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for domain / URL

Source: http://91.206.178.125/upload/upload.asp

Virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	Virustotal: Detection: 64%			Perma Link

Multi AV Scanner detection for submitted file

Source: fqJIOoSp5U.dll	ReversingLabs: Detection: 75%
Source: fqJIOoSp5U.dll	Virustotal: Detection: 72%			Perma Link

Source: C:\Windows\System32\rundll32.exe

Code function: 19_2_0000000180007040 malloc,CryptAcquireContextW,GetLastError,wprintf,CryptCreateHash,GetLastError,wprintf,CryptReleaseContext,CryptHashData,GetLastError,wprintf,CryptReleaseContext,CryptDestroyHash,CryptGetHashParam,GetLastError,CryptReleaseContext,CryptDestroyHash,

19_2_0000000180007040

Source: fqJIOoSp5U.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: fqJIOoSp5U.dll
Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: fqJIOoSp5U.dll

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 91.206.178.125 80

Jump to behavior

Source: Joe Sandbox View

ASN Name: ARTNET2PL ARTNET2PL

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 91.206.178.125:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125

Source: C:\Windows\System32\rundll32.exe

Code function: 19_2_00000001800023F0 HttpQueryInfoA,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,

19_2_00000001800023F0

Source: rundll32.exe, 00000013.00000003.1911259788.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1697865690.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/Sn
Source: rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp$TK
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp(TG
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp.TM
Source: rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp5/upload/upload.asp
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A5348000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A5348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp5029
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp:TQ
Source: rundll32.exe, 00000013.00000002.2439420006.0000001077D44000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp;
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspBV
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspEV
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A5389000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A5389000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1911259788.00000168A5380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1697865690.00000168A5380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A5389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspEz
Source: rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspIV
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A5389000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A5389000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1911259788.00000168A5380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A5389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspLz
Source: rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspOV
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A5348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspParameters
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspQV
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspXV
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A5389000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A5389000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1911259788.00000168A5380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1697865690.00000168A5380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A5389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspXz
Source: rundll32.exe, 00000013.00000002.2439019102.0000000180051000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asphttp://91.206.17
Source: rundll32.exe, 00000013.00000003.2334701578.00000168A539A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspi
Source: rundll32.exe, 00000013.00000002.2440336550.00000168A539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspjT
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A5348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspsk
Source: rundll32.exe, 00000013.00000003.1911259788.00000168A5380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspx

Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180002430	4_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018000966C	4_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800017C0	4_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180001000	4_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180008818	4_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018001401C	4_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800028C0	4_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180001180	4_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800039CB	4_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180006A90	4_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180014AD0	4_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180007AD8	4_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180011EEC	4_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180009AEC	4_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180004B20	4_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180007360	4_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018000BB9C	4_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800137B8	4_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018000C7B8	4_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800013E0	4_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180002430	7_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018000966C	7_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800017C0	7_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180001000	7_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180008818	7_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018001401C	7_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800028C0	7_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180001180	7_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800039CB	7_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180006A90	7_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180014AD0	7_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180007AD8	7_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180011EEC	7_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180009AEC	7_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180004B20	7_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180007360	7_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018000BB9C	7_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800137B8	7_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018000C7B8	7_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800013E0	7_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180002430	8_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018000966C	8_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800017C0	8_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180001000	8_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180008818	8_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018001401C	8_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800028C0	8_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180001180	8_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800039CB	8_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180006A90	8_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180014AD0	8_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180007AD8	8_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180011EEC	8_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180009AEC	8_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180004B20	8_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180007360	8_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018000BB9C	8_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800137B8	8_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018000C7B8	8_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800013E0	8_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180002430	9_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018000966C	9_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800017C0	9_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180001000	9_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180008818	9_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018001401C	9_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800028C0	9_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180001180	9_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800039CB	9_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180006A90	9_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180014AD0	9_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180007AD8	9_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180011EEC	9_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180009AEC	9_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180004B20	9_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180007360	9_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018000BB9C	9_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800137B8	9_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018000C7B8	9_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800013E0	9_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB226732F1	19_2_00007FFB226732F1
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB22671CCA	19_2_00007FFB22671CCA
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB22674CC4	19_2_00007FFB22674CC4
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB22674F68	19_2_00007FFB22674F68
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB22671C84	19_2_00007FFB22671C84
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180007400	19_2_0000000180007400
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180002040	19_2_0000000180002040
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000EA8C	19_2_000000018000EA8C
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180008ED0	19_2_0000000180008ED0
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00000001800047F0	19_2_00000001800047F0
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180001000	19_2_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180007A30	19_2_0000000180007A30
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180007040	19_2_0000000180007040
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000A284	19_2_000000018000A284
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180008290	19_2_0000000180008290
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000369B	19_2_000000018000369B
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180009CE0	19_2_0000000180009CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000EF0C	19_2_000000018000EF0C
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000C518	19_2_000000018000C518
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180002540	19_2_0000000180002540
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180006770	19_2_0000000180006770
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180008B70	19_2_0000000180008B70
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180001180	19_2_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018001119C	19_2_000000018001119C
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000B5A0	19_2_000000018000B5A0
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000DFAC	19_2_000000018000DFAC
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00000001800013E0	19_2_00000001800013E0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat 00433EBF3B21C1C055D4AB8A599D3E84F03B328496236B54E56042CEF2146B1C

Source: C:\Windows\System32\rundll32.exe

Code function: String function: 000000018000B40C appears 44 times

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: fqJIOoSp5U.dll

Static PE information: Section: .data ZLIB complexity 0.9890470436151079

Source: classification engine

Classification label: mal100.evad.winDLL@16/2@0/1

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_00000001800017C0 CoInitializeEx,wprintf,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,MultiByteToWideChar,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,VariantInit,VariantInit,SysAllocString,SysFreeString,VariantClear,VariantClear,VariantClear,CoUninitialize,wprintf,CoUninitialize,

4_3_00000001800017C0

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03

Source: fqJIOoSp5U.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSum

Source: fqJIOoSp5U.dll	ReversingLabs: Detection: 75%
Source: fqJIOoSp5U.dll	Virustotal: Detection: 72%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSum
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSumW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",CalculateSum
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",CalculateSumW
Source: unknown	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.exe C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSum	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fqJIOoSp5U.dll,CalculateSumW	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",CalculateSum	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",CalculateSumW	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: fqJIOoSp5U.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: fqJIOoSp5U.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: fqJIOoSp5U.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: fqJIOoSp5U.dll
Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: fqJIOoSp5U.dll

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_000000018000EE74 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_3_000000018000EE74

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_19-18469

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_19-16679

Source: C:\Windows\System32\loaddll64.exe TID: 1092	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1432	Thread sleep time: -240000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: rundll32.exe, 00000013.00000002.2440336550.00000168A52EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\user
Source: rundll32.exe, 00000013.00000003.1911366916.00000168A53A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A53A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1697865690.00000168A535B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2334701578.00000168A5348000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1911259788.00000168A535B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2440336550.00000168A5348000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1697865690.00000168A53A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1911366916.00000168A5365000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2334701578.00000168A53A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2122986845.00000168A5348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_19-16681

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_3_0000000180009284

Source: C:\Windows\System32\rundll32.exe

4_3_000000018000EE74

Source: C:\Windows\System32\rundll32.exe

Code function: 19_2_00007FFB22671440 VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

19_2_00007FFB22671440

Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB22674318 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FFB22674318
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00007FFB22673900 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FFB22673900
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_0000000180009400 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000000180009400
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_000000018000C00C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000000018000C00C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 91.206.178.125 80

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fqJIOoSp5U.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_0000000180007964 GetSystemTimeAsFileTime,

4_3_0000000180007964

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_000000018000966C _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

4_3_000000018000966C

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_000000018000BA5C HeapCreate,GetVersion,HeapSetInformation,

4_3_000000018000BA5C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	11 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
fqJIOoSp5U.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fqJIOoSp5U.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
fqJIOoSp5U.dll