Edit tour

Windows Analysis Report
#U0160iauliai.dll

Overview

General Information

Sample name:	#U0160iauliai.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	iauliai.exe
Analysis ID:	1618700
MD5:	1f7370b202a1c069a7b7f065c7dec77c
SHA1:	c6bec119b652e324d6bf81540d271e9564c7f5b6
SHA256:	8cd65c1a0f043d6b2b5630c07e7e5aff039eea2d3fee8f7c6bba6e1c41a6efec
Tags:	exeuser-Bastian455_
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 404 cmdline: loaddll64.exe "C:\Users\user\Desktop\#U0160iauliai.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6904 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 4568 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 5340 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

rundll32.exe (PID: 5960 cmdline: rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,003m1A2V MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 6292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

rundll32.exe (PID: 616 cmdline: rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,0116DBXXNkOBoHSd9 MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 1656 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 4196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

rundll32.exe (PID: 5976 cmdline: rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,01xCx0DbbvNE0xVfCt MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 1408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

rundll32.exe (PID: 1132 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",003m1A2V MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 6276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

rundll32.exe (PID: 5968 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",0116DBXXNkOBoHSd9 MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 1588 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 1936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

rundll32.exe (PID: 6876 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",01xCx0DbbvNE0xVfCt MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 3040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 3504 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

rundll32.exe (PID: 5316 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zyqASawbBrr1zFVuF MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 5128 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 3004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

rundll32.exe (PID: 3220 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zy7ucLjy07p1lbINwy8ic MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 1088 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 7188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

rundll32.exe (PID: 4176 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zuQ2kBcRAG9Rn4s0abI9YEc1r MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 1016 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",ztZxAgNMKz MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2144 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zt0hf0XPOvY1 MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

rundll32.exe (PID: 1656 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zskuig3 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2300 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zr1gfpGkehUGSz0N5FIUd MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2996 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zqGyaCM4nfzfO2zwJS7YmF MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6672 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zoSZdvNm MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2960 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zmXsK3Gd MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2872 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zhNir09 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2612 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zfRIATEID9dN26prq0vZUJ MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2052 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdsXUc7dY MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5608 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdEmXoa8cYu21lSKstmc1ldaJ7CLfbR MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7180 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdBIf0ig8Rmg8fhaLwnYXcsDKWUNmlB MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7208 cmdline: rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zcQHOKx MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.2242677804.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2242677804.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2242677804.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000002.2223392161.000001FEE2C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000002.2223392161.000001FEE2C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000021.00000002.2226705541.000001D06BC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.2226705541.000001D06BC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000026.00000002.2225130467.000001E95B400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000002.2225130467.000001E95B400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000024.00000002.2240276888.000001EB28C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000002.2240276888.000001EB28C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2242677804.00000000029C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000002.2240731961.000001E5EBC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000002.2240731961.000001E5EBC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2242597580.0000000002E34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2242597580.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2242597580.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2242597580.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000028.00000002.2240224279.000001E211C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000002.2240224279.000001E211C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2184237650.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000022.00000002.2240351092.000002A3AD400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.2240351092.000002A3AD400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2184237650.0000000002E64000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2184237650.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2184237650.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 5960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 4568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 4568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6292	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6292	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5340	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 616	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 4196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 4196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 5976	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5976	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1408	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 1132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 1132	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 5968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 6876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 6876	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5316	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 3220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 3220	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 4176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 4176	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 1016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 1016	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2144	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 1656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 1656	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2300	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 6672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 6672	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2872	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2612	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 2052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2052	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 5608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5608	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 7180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7180	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rundll32.exe PID: 7208	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7208	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 109 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
32.2.rundll32.exe.21e98c75501.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.rundll32.exe.21e98c75501.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
26.2.rundll32.exe.240d60aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.rundll32.exe.240d60aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
32.2.rundll32.exe.21e98c75501.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
26.2.rundll32.exe.240d60aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
33.2.rundll32.exe.1d06bc75501.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.rundll32.exe.1d06bc75501.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
33.2.rundll32.exe.1d06bc75501.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.rundll32.exe.212f28aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rundll32.exe.212f28aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.rundll32.exe.212f28aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.rundll32.exe.2ade143aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.rundll32.exe.2ade143aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.rundll32.exe.2ade143aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.rundll32.exe.26e8e8aff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.rundll32.exe.26e8e8aff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.rundll32.exe.26e8e8aff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
28.2.rundll32.exe.1db608aff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.rundll32.exe.1db608aff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db608aff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
38.2.rundll32.exe.1e95b4aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.2.rundll32.exe.1e95b4aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b4aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.rundll32.exe.26e8e83aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.rundll32.exe.26e8e83aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.rundll32.exe.26e8e83aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.rundll32.exe.212f283aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rundll32.exe.212f283aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.rundll32.exe.212f283aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
28.2.rundll32.exe.1db60875501.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.rundll32.exe.1db60875501.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db60875501.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.rundll32.exe.2a3ad43aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.rundll32.exe.2a3ad43aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
34.2.rundll32.exe.2a3ad43aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
30.2.rundll32.exe.2d3414aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e454aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e454aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.rundll32.exe.15e454aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.rundll32.exe.2ade1475501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.rundll32.exe.2ade1475501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.rundll32.exe.2ade1475501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.rundll32.exe.1e211c3aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
40.2.rundll32.exe.1e211c3aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d341475501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.rundll32.exe.2d341475501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d34143aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.rundll32.exe.2d34143aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d2243aab5.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.rundll32.exe.26d2243aab5.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.2.rundll32.exe.1e5ebcaff40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.rundll32.exe.1e5ebcaff40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d341475501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28caff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.rundll32.exe.1eb28caff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d3414aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d2243aab5.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
30.2.rundll32.exe.2d3414aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.rundll32.exe.1e211c3aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
37.2.rundll32.exe.1e5ebcaff40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
30.2.rundll32.exe.2d34143aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28caff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
35.2.rundll32.exe.1fee2c75501.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.rundll32.exe.1fee2c75501.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.rundll32.exe.1fee2c75501.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.rundll32.exe.212f2875501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rundll32.exe.212f2875501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.rundll32.exe.2ade1475501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.rundll32.exe.2ade1475501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.rundll32.exe.212f2875501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.rundll32.exe.2ade1475501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
30.2.rundll32.exe.2d34143aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.rundll32.exe.2d34143aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d34143aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
11.2.rundll32.exe.21b24475501.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.rundll32.exe.21b24475501.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.rundll32.exe.21b24475501.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
31.2.rundll32.exe.29977875501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rundll32.exe.29977875501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.rundll32.exe.29977875501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
30.2.rundll32.exe.2d3414aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.rundll32.exe.2d3414aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d3414aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
21.2.rundll32.exe.26d224aff40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.rundll32.exe.26d224aff40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d224aff40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.rundll32.exe.26e8e875501.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.rundll32.exe.26e8e875501.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.rundll32.exe.26e8e875501.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.rundll32.exe.15e454aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e454aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.rundll32.exe.15e454aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.rundll32.exe.20f5f0aff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.rundll32.exe.20f5f0aff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.rundll32.exe.20f5f0aff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.rundll32.exe.212f28aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rundll32.exe.212f28aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.rundll32.exe.212f28aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.rundll32.exe.1e211caff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
40.2.rundll32.exe.1e211caff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
40.2.rundll32.exe.1e211caff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28c3aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.rundll32.exe.1eb28c3aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
36.2.rundll32.exe.1eb28c3aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.rundll32.exe.2a3ad4aff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.rundll32.exe.2a3ad4aff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
34.2.rundll32.exe.2a3ad4aff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.rundll32.exe.2ade143aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.rundll32.exe.2ade143aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.rundll32.exe.2ade143aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
37.2.rundll32.exe.1e5ebc75501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.rundll32.exe.1e5ebc75501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.2.rundll32.exe.1e5ebc75501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
23.2.rundll32.exe.1de62c3aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.rundll32.exe.1de62c3aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.rundll32.exe.1de62c3aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
40.2.rundll32.exe.1e211caff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
40.2.rundll32.exe.1e211caff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
40.2.rundll32.exe.1e211caff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
33.2.rundll32.exe.1d06bcaff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.rundll32.exe.1d06bcaff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
33.2.rundll32.exe.1d06bcaff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
23.2.rundll32.exe.1de62c3aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.rundll32.exe.1de62c3aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.rundll32.exe.1de62c3aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.rundll32.exe.2a3ad475501.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.rundll32.exe.2a3ad475501.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
34.2.rundll32.exe.2a3ad475501.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.rundll32.exe.2ade14aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.rundll32.exe.2ade14aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.rundll32.exe.2ade14aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.rundll32.exe.20f5f03aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.rundll32.exe.20f5f03aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.rundll32.exe.20f5f03aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
32.2.rundll32.exe.21e98c75501.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.rundll32.exe.21e98c75501.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
32.2.rundll32.exe.21e98c75501.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.rundll32.exe.15e45475501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e45475501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.rundll32.exe.15e45475501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.rundll32.exe.223718aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.rundll32.exe.223718aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.rundll32.exe.223718aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
28.2.rundll32.exe.1db6083aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.rundll32.exe.1db6083aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db6083aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.rundll32.exe.223718aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.rundll32.exe.223718aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.rundll32.exe.223718aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.rundll32.exe.22371875501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.rundll32.exe.22371875501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.rundll32.exe.22371875501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
26.2.rundll32.exe.240d603aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.rundll32.exe.240d603aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
26.2.rundll32.exe.240d603aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
35.2.rundll32.exe.1fee2caff40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.rundll32.exe.1fee2caff40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.rundll32.exe.1fee2caff40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
21.2.rundll32.exe.26d2243aab5.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.rundll32.exe.26d2243aab5.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d2243aab5.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
15.2.rundll32.exe.20f5f075501.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.rundll32.exe.20f5f075501.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.rundll32.exe.20f5f075501.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.rundll32.exe.26e8e875501.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.rundll32.exe.26e8e875501.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.rundll32.exe.26e8e875501.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
26.2.rundll32.exe.240d603aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.rundll32.exe.240d603aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
26.2.rundll32.exe.240d603aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
32.2.rundll32.exe.21e98c3aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.rundll32.exe.21e98c3aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
32.2.rundll32.exe.21e98c3aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
33.2.rundll32.exe.1d06bcaff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.rundll32.exe.1d06bcaff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
33.2.rundll32.exe.1d06bcaff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
38.2.rundll32.exe.1e95b4aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.2.rundll32.exe.1e95b4aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b4aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.rundll32.exe.1e211c75501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
40.2.rundll32.exe.1e211c75501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
40.2.rundll32.exe.1e211c75501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.rundll32.exe.2997783aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rundll32.exe.2997783aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.rundll32.exe.2997783aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
31.2.rundll32.exe.299778aff40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rundll32.exe.299778aff40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.rundll32.exe.299778aff40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.rundll32.exe.20f5f075501.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.rundll32.exe.20f5f075501.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.rundll32.exe.20f5f075501.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
23.2.rundll32.exe.1de62c75501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.rundll32.exe.1de62c75501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.rundll32.exe.1de62c75501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.rundll32.exe.212f2875501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rundll32.exe.212f2875501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.rundll32.exe.212f2875501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.rundll32.exe.21b244aff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.rundll32.exe.21b244aff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.rundll32.exe.21b244aff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
26.2.rundll32.exe.240d6075501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.rundll32.exe.240d6075501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
26.2.rundll32.exe.240d6075501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.rundll32.exe.20407075501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.rundll32.exe.20407075501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.rundll32.exe.20407075501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.rundll32.exe.15e4543aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e4543aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.rundll32.exe.15e4543aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
14.2.rundll32.exe.2ade14aff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.rundll32.exe.2ade14aff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.rundll32.exe.2ade14aff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
38.2.rundll32.exe.1e95b43aab5.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.2.rundll32.exe.1e95b43aab5.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b43aab5.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
26.2.rundll32.exe.240d60aff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.rundll32.exe.240d60aff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
26.2.rundll32.exe.240d60aff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.rundll32.exe.2237183aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.rundll32.exe.2237183aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.rundll32.exe.2237183aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.rundll32.exe.204070aff40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.rundll32.exe.204070aff40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db6083aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.rundll32.exe.1db6083aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.rundll32.exe.204070aff40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.rundll32.exe.15e45475501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e45475501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db6083aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
8.2.rundll32.exe.15e45475501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
35.2.rundll32.exe.1fee2caff40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.rundll32.exe.1fee2caff40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.rundll32.exe.1fee2caff40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
21.2.rundll32.exe.26d224aff40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.rundll32.exe.26d224aff40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d224aff40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
33.2.rundll32.exe.1d06bc3aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.rundll32.exe.1d06bc3aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
33.2.rundll32.exe.1d06bc3aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.rundll32.exe.22371875501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.rundll32.exe.22371875501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.rundll32.exe.22371875501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.rundll32.exe.299778aff40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rundll32.exe.299778aff40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.rundll32.exe.299778aff40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.rundll32.exe.2586acaff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.rundll32.exe.2586acaff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.rundll32.exe.2586acaff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.rundll32.exe.1e211c3aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
40.2.rundll32.exe.1e211c3aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
40.2.rundll32.exe.1e211c3aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
32.2.rundll32.exe.21e98caff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.rundll32.exe.21e98caff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
32.2.rundll32.exe.21e98caff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.rundll32.exe.2a3ad475501.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.rundll32.exe.2a3ad475501.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
34.2.rundll32.exe.2a3ad475501.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.rundll32.exe.2586acaff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.rundll32.exe.2586acaff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.rundll32.exe.2586acaff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
28.2.rundll32.exe.1db608aff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.rundll32.exe.1db608aff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b475501.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.2.rundll32.exe.1e95b475501.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db608aff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28c75501.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.rundll32.exe.1eb28c75501.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.rundll32.exe.1de62c75501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.rundll32.exe.1de62c75501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b475501.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
23.2.rundll32.exe.1de62c75501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.rundll32.exe.26e8e83aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.rundll32.exe.26e8e83aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.rundll32.exe.26e8e83aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
38.2.rundll32.exe.1e95b43aab5.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.2.rundll32.exe.1e95b43aab5.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b43aab5.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
36.2.rundll32.exe.1eb28c75501.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.rundll32.exe.29977875501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rundll32.exe.29977875501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.rundll32.exe.29977875501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.rundll32.exe.2997783aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rundll32.exe.2997783aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.rundll32.exe.2997783aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.rundll32.exe.204070aff40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.rundll32.exe.204070aff40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.rundll32.exe.204070aff40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.rundll32.exe.2586ac75501.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.rundll32.exe.2586ac75501.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.rundll32.exe.2586ac75501.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
32.2.rundll32.exe.21e98caff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.rundll32.exe.21e98caff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
32.2.rundll32.exe.21e98caff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.rundll32.exe.15e4543aab5.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.rundll32.exe.15e4543aab5.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.rundll32.exe.15e4543aab5.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.rundll32.exe.212f283aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rundll32.exe.212f283aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.rundll32.exe.1de62caff40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.rundll32.exe.1de62caff40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.rundll32.exe.212f283aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
23.2.rundll32.exe.1de62caff40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
4.2.rundll32.exe.2586ac3aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.rundll32.exe.2586ac3aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.rundll32.exe.2586ac3aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
4.2.rundll32.exe.2586ac3aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.rundll32.exe.2586ac3aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.rundll32.exe.2586ac3aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
26.2.rundll32.exe.240d6075501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.rundll32.exe.240d6075501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
26.2.rundll32.exe.240d6075501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
37.2.rundll32.exe.1e5ebc75501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.rundll32.exe.1e5ebc75501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.2.rundll32.exe.1e5ebc75501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
37.2.rundll32.exe.1e5ebc3aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.rundll32.exe.1e5ebc3aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.2.rundll32.exe.1e5ebc3aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
32.2.rundll32.exe.21e98c3aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.rundll32.exe.21e98c3aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
32.2.rundll32.exe.21e98c3aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28caff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.rundll32.exe.1eb28caff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
36.2.rundll32.exe.1eb28caff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.rundll32.exe.21b2443aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.rundll32.exe.21b2443aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.rundll32.exe.21b2443aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
33.2.rundll32.exe.1d06bc75501.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.rundll32.exe.1d06bc75501.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
33.2.rundll32.exe.1d06bc75501.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
15.2.rundll32.exe.20f5f03aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.rundll32.exe.20f5f03aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.rundll32.exe.20f5f03aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
15.2.rundll32.exe.20f5f0aff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.rundll32.exe.20f5f0aff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.rundll32.exe.20f5f0aff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
38.2.rundll32.exe.1e95b475501.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.2.rundll32.exe.1e95b475501.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
38.2.rundll32.exe.1e95b475501.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.rundll32.exe.2040703aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.rundll32.exe.2040703aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.rundll32.exe.2040703aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
3.2.rundll32.exe.2040703aab5.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.rundll32.exe.2040703aab5.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.rundll32.exe.2040703aab5.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.rundll32.exe.21b244aff40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.rundll32.exe.21b244aff40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.rundll32.exe.21b244aff40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
21.2.rundll32.exe.26d22475501.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.rundll32.exe.26d22475501.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d22475501.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
35.2.rundll32.exe.1fee2c3aab5.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.rundll32.exe.1fee2c3aab5.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.rundll32.exe.1fee2c3aab5.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.rundll32.exe.2237183aab5.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.rundll32.exe.2237183aab5.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.rundll32.exe.2237183aab5.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
3.2.rundll32.exe.20407075501.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.rundll32.exe.20407075501.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.rundll32.exe.20407075501.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.rundll32.exe.21b24475501.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.rundll32.exe.21b24475501.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.rundll32.exe.21b24475501.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
30.2.rundll32.exe.2d341475501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.rundll32.exe.2d341475501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
30.2.rundll32.exe.2d341475501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
35.2.rundll32.exe.1fee2c75501.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.rundll32.exe.1fee2c75501.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.rundll32.exe.21b2443aab5.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.rundll32.exe.21b2443aab5.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.rundll32.exe.1fee2c75501.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.rundll32.exe.21b2443aab5.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df37:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8976:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa89e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e033:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8a72:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8b04:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8b6e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8be0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e237:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8c76:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
19.2.rundll32.exe.26e8e8aff40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.rundll32.exe.26e8e8aff40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.rundll32.exe.26e8e8aff40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.rundll32.exe.2586ac75501.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.rundll32.exe.2586ac75501.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.rundll32.exe.2586ac75501.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
21.2.rundll32.exe.26d22475501.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.rundll32.exe.26d22475501.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.rundll32.exe.26d22475501.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
28.2.rundll32.exe.1db60875501.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.rundll32.exe.1db60875501.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
28.2.rundll32.exe.1db60875501.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
23.2.rundll32.exe.1de62caff40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.rundll32.exe.1de62caff40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.rundll32.exe.1de62caff40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.rundll32.exe.1e211c75501.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
40.2.rundll32.exe.1e211c75501.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
40.2.rundll32.exe.1e211c75501.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
36.2.rundll32.exe.1eb28c75501.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.rundll32.exe.1eb28c75501.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
36.2.rundll32.exe.1eb28c75501.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df9c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e026:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0b8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e122:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e194:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2ba:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 412 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 6292, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T03:05:09.971854+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49783	162.254.34.31	587	TCP
2025-02-19T03:05:09.971854+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49786	162.254.34.31	587	TCP
2025-02-19T03:05:09.971854+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49760	162.254.34.31	587	TCP
2025-02-19T03:05:09.971854+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49800	162.254.34.31	587	TCP
2025-02-19T03:05:21.767866+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49712	162.254.34.31	587	TCP
2025-02-19T03:05:36.110215+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49715	162.254.34.31	587	TCP
2025-02-19T03:05:36.163029+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49718	162.254.34.31	587	TCP
2025-02-19T03:07:16.096344+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49794	162.254.34.31	587	TCP
2025-02-19T03:07:16.150663+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49798	162.254.34.31	587	TCP
2025-02-19T03:07:16.152143+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49802	162.254.34.31	587	TCP
2025-02-19T03:07:16.152385+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49803	162.254.34.31	587	TCP
2025-02-19T03:07:16.152862+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49805	162.254.34.31	587	TCP
2025-02-19T03:07:16.153400+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49808	162.254.34.31	587	TCP
2025-02-19T03:07:16.154701+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49804	162.254.34.31	587	TCP
2025-02-19T03:07:16.155633+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49807	162.254.34.31	587	TCP
2025-02-19T03:07:16.155710+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49806	162.254.34.31	587	TCP
2025-02-19T03:07:16.155835+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49799	162.254.34.31	587	TCP
2025-02-19T03:07:16.156196+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49801	162.254.34.31	587	TCP
2025-02-19T03:07:16.159072+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49809	162.254.34.31	587	TCP
2025-02-19T03:07:16.159095+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49797	162.254.34.31	587	TCP
2025-02-19T03:07:16.173024+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49813	162.254.34.31	587	TCP
2025-02-19T03:07:16.174352+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49810	162.254.34.31	587	TCP
2025-02-19T03:07:16.181724+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49811	162.254.34.31	587	TCP
2025-02-19T03:07:16.183321+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49812	162.254.34.31	587	TCP
2025-02-19T03:07:16.183586+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49815	162.254.34.31	587	TCP
2025-02-19T03:07:16.184211+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49816	162.254.34.31	587	TCP
2025-02-19T03:07:16.185407+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49814	162.254.34.31	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 13.2.rundll32.exe.212f2875501.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Multi AV Scanner detection for submitted file

Source: #U0160iauliai.dll	Virustotal: Detection: 26%			Perma Link
Source: #U0160iauliai.dll	ReversingLabs: Detection: 24%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49785 version: TLS 1.2

Source: #U0160iauliai.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49712 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49718 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49715 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49794 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49803 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49805 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49802 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49806 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49809 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49798 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49811 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49812 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49808 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49815 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49814 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49801 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49799 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49797 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49810 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49813 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49804 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49807 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49816 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49783 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49786 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49760 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49800 -> 162.254.34.31:587

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 162.254.34.31:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 162.254.34.31 162.254.34.31

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: AddInProcess32.exe, 00000005.00000002.2184237650.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2242677804.0000000002941000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.2242597580.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000021.00000002.2226705541.000001D06BC00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000022.00000002.2240351092.000002A3AD400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.2223392161.000001FEE2C00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.2240276888.000001EB28C00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: loaddll64.exe, 00000000.00000002.3398180203.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123690872.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123492398.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123744647.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123568786.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2153843209.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2154047160.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182762616.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182407016.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2239996453.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2241621402.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2244187618.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2256245874.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216622084.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216332111.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2240006114.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2241483987.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221756693.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221522413.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2256871412.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2246794538.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: loaddll64.exe, 00000000.00000002.3398180203.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123690872.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123492398.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123744647.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123568786.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2153843209.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2154047160.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182762616.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182407016.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2239996453.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2241621402.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2244187618.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2256245874.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216622084.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216332111.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2240006114.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2241483987.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221756693.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221522413.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2256871412.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2246794538.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: rundll32.exe, 00000028.00000002.2257855717.00007FFD944C7000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.2252581127.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, #U0160iauliai.dll	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: loaddll64.exe, 00000000.00000002.3398180203.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123492398.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123568786.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2153843209.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182407016.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2239996453.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2244187618.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216332111.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2240006114.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221522413.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2246794538.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2226194623.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.2242673657.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.2221581098.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.2252944670.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.2239268847.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2252987785.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2227570997.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.2252838323.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.2224381272.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2252662637.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: loaddll64.exe, 00000000.00000002.3398180203.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123492398.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123568786.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2153843209.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182407016.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2239996453.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2244187618.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216332111.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2240006114.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221522413.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2246794538.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2226194623.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.2242673657.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.2221581098.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.2252944670.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.2239268847.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2252987785.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2227570997.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.2252838323.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.2224381272.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2252662637.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: rundll32.exe, 00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2184237650.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2242677804.0000000002941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.2242597580.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2238630907.0000000002994000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: AddInProcess32.exe, 00000005.00000002.2184237650.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2242677804.0000000002941000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.2242597580.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: AddInProcess32.exe, 00000005.00000002.2184237650.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2242677804.0000000002941000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.2242597580.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: loaddll64.exe, 00000000.00000002.3398180203.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123492398.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123568786.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2153843209.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182407016.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2239996453.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2244187618.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216332111.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2240006114.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221522413.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2246794538.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2226194623.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.2242673657.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.2221581098.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.2252944670.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.2239268847.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2252987785.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2227570997.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.2252838323.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.2224381272.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2252662637.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/adamhathcock/sharpcompress

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49785 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, SKTzxzsJw.cs	.Net Code: BbookW6D
Source: 3.2.rundll32.exe.204070aff40.1.raw.unpack, SKTzxzsJw.cs	.Net Code: BbookW6D
Source: 3.2.rundll32.exe.2040703aab5.0.raw.unpack, SKTzxzsJw.cs	.Net Code: BbookW6D
Source: 4.2.rundll32.exe.2586acaff40.2.raw.unpack, SKTzxzsJw.cs	.Net Code: BbookW6D
Source: 4.2.rundll32.exe.2586ac3aab5.0.raw.unpack, SKTzxzsJw.cs	.Net Code: BbookW6D

System Summary

Malicious sample detected (through community Yara rule)

Source: 32.2.rundll32.exe.21e98c75501.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.rundll32.exe.240d60aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 33.2.rundll32.exe.1d06bc75501.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.rundll32.exe.212f28aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.rundll32.exe.2ade143aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.rundll32.exe.26e8e8aff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.rundll32.exe.1db608aff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 38.2.rundll32.exe.1e95b4aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.rundll32.exe.26e8e83aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.rundll32.exe.212f283aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.rundll32.exe.1db60875501.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.rundll32.exe.2a3ad43aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.rundll32.exe.15e454aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.rundll32.exe.2ade1475501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 30.2.rundll32.exe.2d341475501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.rundll32.exe.26d2243aab5.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 30.2.rundll32.exe.2d3414aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.rundll32.exe.1e211c3aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 37.2.rundll32.exe.1e5ebcaff40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 30.2.rundll32.exe.2d34143aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 36.2.rundll32.exe.1eb28caff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 35.2.rundll32.exe.1fee2c75501.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.rundll32.exe.212f2875501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.rundll32.exe.2ade1475501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 30.2.rundll32.exe.2d34143aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.rundll32.exe.21b24475501.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.rundll32.exe.29977875501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 30.2.rundll32.exe.2d3414aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.rundll32.exe.26d224aff40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.rundll32.exe.26e8e875501.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.rundll32.exe.15e454aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.rundll32.exe.20f5f0aff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.rundll32.exe.212f28aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.rundll32.exe.1e211caff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 36.2.rundll32.exe.1eb28c3aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.rundll32.exe.2a3ad4aff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.rundll32.exe.2ade143aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 37.2.rundll32.exe.1e5ebc75501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 23.2.rundll32.exe.1de62c3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.rundll32.exe.1e211caff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 33.2.rundll32.exe.1d06bcaff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 23.2.rundll32.exe.1de62c3aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.rundll32.exe.2a3ad475501.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.rundll32.exe.2ade14aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.rundll32.exe.20f5f03aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 32.2.rundll32.exe.21e98c75501.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.rundll32.exe.15e45475501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.rundll32.exe.223718aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.rundll32.exe.1db6083aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.rundll32.exe.223718aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.rundll32.exe.22371875501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.rundll32.exe.240d603aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 35.2.rundll32.exe.1fee2caff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.rundll32.exe.26d2243aab5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.rundll32.exe.20f5f075501.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.rundll32.exe.26e8e875501.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.rundll32.exe.240d603aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 32.2.rundll32.exe.21e98c3aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 33.2.rundll32.exe.1d06bcaff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 38.2.rundll32.exe.1e95b4aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.rundll32.exe.1e211c75501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.rundll32.exe.2997783aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.rundll32.exe.299778aff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.rundll32.exe.20f5f075501.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 23.2.rundll32.exe.1de62c75501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.rundll32.exe.212f2875501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.rundll32.exe.21b244aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.rundll32.exe.240d6075501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.rundll32.exe.15e4543aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.rundll32.exe.2ade14aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 38.2.rundll32.exe.1e95b43aab5.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.rundll32.exe.240d60aff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.rundll32.exe.2237183aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.rundll32.exe.204070aff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.rundll32.exe.1db6083aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.rundll32.exe.15e45475501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 35.2.rundll32.exe.1fee2caff40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.rundll32.exe.26d224aff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 33.2.rundll32.exe.1d06bc3aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.rundll32.exe.22371875501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.rundll32.exe.299778aff40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.rundll32.exe.2586acaff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.rundll32.exe.1e211c3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 32.2.rundll32.exe.21e98caff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.rundll32.exe.2a3ad475501.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.rundll32.exe.2586acaff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.rundll32.exe.1db608aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 38.2.rundll32.exe.1e95b475501.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 23.2.rundll32.exe.1de62c75501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.rundll32.exe.26e8e83aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 38.2.rundll32.exe.1e95b43aab5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 36.2.rundll32.exe.1eb28c75501.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.rundll32.exe.29977875501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.rundll32.exe.2997783aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.rundll32.exe.204070aff40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.rundll32.exe.2586ac75501.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 32.2.rundll32.exe.21e98caff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.rundll32.exe.15e4543aab5.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.rundll32.exe.212f283aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 23.2.rundll32.exe.1de62caff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.rundll32.exe.2586ac3aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.rundll32.exe.2586ac3aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 26.2.rundll32.exe.240d6075501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 37.2.rundll32.exe.1e5ebc75501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 37.2.rundll32.exe.1e5ebc3aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 32.2.rundll32.exe.21e98c3aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 36.2.rundll32.exe.1eb28caff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.rundll32.exe.21b2443aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 33.2.rundll32.exe.1d06bc75501.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.rundll32.exe.20f5f03aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.rundll32.exe.20f5f0aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 38.2.rundll32.exe.1e95b475501.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.rundll32.exe.2040703aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.rundll32.exe.2040703aab5.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.rundll32.exe.21b244aff40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.rundll32.exe.26d22475501.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 35.2.rundll32.exe.1fee2c3aab5.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.rundll32.exe.2237183aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.rundll32.exe.20407075501.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.rundll32.exe.21b24475501.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 30.2.rundll32.exe.2d341475501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 35.2.rundll32.exe.1fee2c75501.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.rundll32.exe.21b2443aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.rundll32.exe.26e8e8aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.rundll32.exe.2586ac75501.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.rundll32.exe.26d22475501.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.rundll32.exe.1db60875501.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 23.2.rundll32.exe.1de62caff40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.rundll32.exe.1e211c75501.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 36.2.rundll32.exe.1eb28c75501.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BE4AA0	5_2_02BE4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BEAA38	5_2_02BEAA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BEDBE0	5_2_02BEDBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BE3E88	5_2_02BE3E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BE41D0	5_2_02BE41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BEE4BE	5_2_02BEE4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BEDF88	5_2_02BEDF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C5D50	5_2_059C5D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059CE4E8	5_2_059CE4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059CA150	5_2_059CA150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C9208	5_2_059C9208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C45C0	5_2_059C45C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C3560	5_2_059C3560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C3CC0	5_2_059C3CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C5670	5_2_059C5670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059C0308	5_2_059C0308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059CC370	5_2_059CC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694A178	5_2_0694A178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694BC58	5_2_0694BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BEAA33	5_2_02BEAA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F0A978	10_2_00F0A978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F04AA0	10_2_00F04AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F0DBE0	10_2_00F0DBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F03E88	10_2_00F03E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F0E06F	10_2_00F0E06F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F041D0	10_2_00F041D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C3560	10_2_062C3560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C5D50	10_2_062C5D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C45C0	10_2_062C45C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C9208	10_2_062C9208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C0308	10_2_062C0308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062CE0D9	10_2_062CE0D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062CA150	10_2_062CA150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C5670	10_2_062C5670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062C3CC0	10_2_062C3CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062CC370	10_2_062CC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_0641A198	10_2_0641A198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_0641BC48	10_2_0641BC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F0DF88	10_2_00F0DF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C6C52C	12_2_02C6C52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C64AA0	12_2_02C64AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C6DBE0	12_2_02C6DBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C6A978	12_2_02C6A978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C63E88	12_2_02C63E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C641D0	12_2_02C641D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C6E4BB	12_2_02C6E4BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067CE4E8	12_2_067CE4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C3560	12_2_067C3560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C5D50	12_2_067C5D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C45C0	12_2_067C45C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C9208	12_2_067C9208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C0308	12_2_067C0308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067CA150	12_2_067CA150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C5670	12_2_067C5670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067C3CC0	12_2_067C3CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067CC370	12_2_067CC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691A178	12_2_0691A178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691BC58	12_2_0691BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C6DF88	12_2_02C6DF88

Source: #U0160iauliai.dll

Binary or memory string: OriginalFilename` vs #U0160iauliai.dll

Source: 32.2.rundll32.exe.21e98c75501.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.rundll32.exe.240d60aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 33.2.rundll32.exe.1d06bc75501.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.rundll32.exe.212f28aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.rundll32.exe.2ade143aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.rundll32.exe.26e8e8aff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.rundll32.exe.1db608aff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 38.2.rundll32.exe.1e95b4aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.rundll32.exe.26e8e83aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.rundll32.exe.212f283aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.rundll32.exe.1db60875501.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.rundll32.exe.2a3ad43aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.rundll32.exe.15e454aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.rundll32.exe.2ade1475501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 30.2.rundll32.exe.2d341475501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.rundll32.exe.26d2243aab5.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 30.2.rundll32.exe.2d3414aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.rundll32.exe.1e211c3aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 37.2.rundll32.exe.1e5ebcaff40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 30.2.rundll32.exe.2d34143aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 36.2.rundll32.exe.1eb28caff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 35.2.rundll32.exe.1fee2c75501.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.rundll32.exe.212f2875501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.rundll32.exe.2ade1475501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 30.2.rundll32.exe.2d34143aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.rundll32.exe.21b24475501.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.rundll32.exe.29977875501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 30.2.rundll32.exe.2d3414aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.rundll32.exe.26d224aff40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.rundll32.exe.26e8e875501.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.rundll32.exe.15e454aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.rundll32.exe.20f5f0aff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.rundll32.exe.212f28aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.rundll32.exe.1e211caff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 36.2.rundll32.exe.1eb28c3aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.rundll32.exe.2a3ad4aff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.rundll32.exe.2ade143aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 37.2.rundll32.exe.1e5ebc75501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 23.2.rundll32.exe.1de62c3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.rundll32.exe.1e211caff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 33.2.rundll32.exe.1d06bcaff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 23.2.rundll32.exe.1de62c3aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.rundll32.exe.2a3ad475501.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.rundll32.exe.2ade14aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.rundll32.exe.20f5f03aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 32.2.rundll32.exe.21e98c75501.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.rundll32.exe.15e45475501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.rundll32.exe.223718aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.rundll32.exe.1db6083aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.rundll32.exe.223718aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.rundll32.exe.22371875501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.rundll32.exe.240d603aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 35.2.rundll32.exe.1fee2caff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.rundll32.exe.26d2243aab5.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.rundll32.exe.20f5f075501.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.rundll32.exe.26e8e875501.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.rundll32.exe.240d603aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 32.2.rundll32.exe.21e98c3aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 33.2.rundll32.exe.1d06bcaff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 38.2.rundll32.exe.1e95b4aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.rundll32.exe.1e211c75501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.rundll32.exe.2997783aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.rundll32.exe.299778aff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.rundll32.exe.20f5f075501.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 23.2.rundll32.exe.1de62c75501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.rundll32.exe.212f2875501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.rundll32.exe.21b244aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.rundll32.exe.240d6075501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.rundll32.exe.15e4543aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.rundll32.exe.2ade14aff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 38.2.rundll32.exe.1e95b43aab5.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.rundll32.exe.240d60aff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.rundll32.exe.2237183aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.rundll32.exe.204070aff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.rundll32.exe.1db6083aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.rundll32.exe.15e45475501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 35.2.rundll32.exe.1fee2caff40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.rundll32.exe.26d224aff40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 33.2.rundll32.exe.1d06bc3aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.rundll32.exe.22371875501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.rundll32.exe.299778aff40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.rundll32.exe.2586acaff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.rundll32.exe.1e211c3aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 32.2.rundll32.exe.21e98caff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.rundll32.exe.2a3ad475501.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.rundll32.exe.2586acaff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.rundll32.exe.1db608aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 38.2.rundll32.exe.1e95b475501.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 23.2.rundll32.exe.1de62c75501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.rundll32.exe.26e8e83aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 38.2.rundll32.exe.1e95b43aab5.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 36.2.rundll32.exe.1eb28c75501.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.rundll32.exe.29977875501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.rundll32.exe.2997783aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.rundll32.exe.204070aff40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.rundll32.exe.2586ac75501.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 32.2.rundll32.exe.21e98caff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.rundll32.exe.15e4543aab5.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.rundll32.exe.212f283aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 23.2.rundll32.exe.1de62caff40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.rundll32.exe.2586ac3aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.rundll32.exe.2586ac3aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 26.2.rundll32.exe.240d6075501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 37.2.rundll32.exe.1e5ebc75501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 37.2.rundll32.exe.1e5ebc3aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 32.2.rundll32.exe.21e98c3aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 36.2.rundll32.exe.1eb28caff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.rundll32.exe.21b2443aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 33.2.rundll32.exe.1d06bc75501.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.rundll32.exe.20f5f03aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.rundll32.exe.20f5f0aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 38.2.rundll32.exe.1e95b475501.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.rundll32.exe.2040703aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.rundll32.exe.2040703aab5.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.rundll32.exe.21b244aff40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.rundll32.exe.26d22475501.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 35.2.rundll32.exe.1fee2c3aab5.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.rundll32.exe.2237183aab5.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.rundll32.exe.20407075501.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.rundll32.exe.21b24475501.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 30.2.rundll32.exe.2d341475501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 35.2.rundll32.exe.1fee2c75501.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.rundll32.exe.21b2443aab5.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.rundll32.exe.26e8e8aff40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.rundll32.exe.2586ac75501.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.rundll32.exe.26d22475501.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.rundll32.exe.1db60875501.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 23.2.rundll32.exe.1de62caff40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.rundll32.exe.1e211c75501.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 36.2.rundll32.exe.1eb28c75501.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.rundll32.exe.20407075501.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winDLL@154/0@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03

Source: #U0160iauliai.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,003m1A2V

Source: #U0160iauliai.dll	Virustotal: Detection: 26%
Source: #U0160iauliai.dll	ReversingLabs: Detection: 24%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\#U0160iauliai.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,003m1A2V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,0116DBXXNkOBoHSd9
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,01xCx0DbbvNE0xVfCt
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",003m1A2V
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",0116DBXXNkOBoHSd9
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",01xCx0DbbvNE0xVfCt
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zyqASawbBrr1zFVuF
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zy7ucLjy07p1lbINwy8ic
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zuQ2kBcRAG9Rn4s0abI9YEc1r
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",ztZxAgNMKz
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zt0hf0XPOvY1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zskuig3
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zr1gfpGkehUGSz0N5FIUd
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zqGyaCM4nfzfO2zwJS7YmF
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zoSZdvNm
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zmXsK3Gd
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zhNir09
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zfRIATEID9dN26prq0vZUJ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdsXUc7dY
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdEmXoa8cYu21lSKstmc1ldaJ7CLfbR
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdBIf0ig8Rmg8fhaLwnYXcsDKWUNmlB
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zcQHOKx
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,003m1A2V	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,0116DBXXNkOBoHSd9	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\#U0160iauliai.dll,01xCx0DbbvNE0xVfCt	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",003m1A2V	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",0116DBXXNkOBoHSd9	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",01xCx0DbbvNE0xVfCt	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zyqASawbBrr1zFVuF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zy7ucLjy07p1lbINwy8ic	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zuQ2kBcRAG9Rn4s0abI9YEc1r	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",ztZxAgNMKz	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zt0hf0XPOvY1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zr1gfpGkehUGSz0N5FIUd	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zqGyaCM4nfzfO2zwJS7YmF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zoSZdvNm	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zmXsK3Gd	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zhNir09	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zfRIATEID9dN26prq0vZUJ	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdsXUc7dY	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdEmXoa8cYu21lSKstmc1ldaJ7CLfbR	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zdBIf0ig8Rmg8fhaLwnYXcsDKWUNmlB	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",zcQHOKx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: #U0160iauliai.dll

Static PE information: More than 271 > 100 exports found

Source: #U0160iauliai.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: #U0160iauliai.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: #U0160iauliai.dll

Static file information: File size 4055040 > 1048576

Source: #U0160iauliai.dll	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1d4600
Source: #U0160iauliai.dll	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e3c00

Source: #U0160iauliai.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: #U0160iauliai.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: #U0160iauliai.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: #U0160iauliai.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: #U0160iauliai.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: #U0160iauliai.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: #U0160iauliai.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: #U0160iauliai.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: #U0160iauliai.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: #U0160iauliai.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: #U0160iauliai.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: #U0160iauliai.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: #U0160iauliai.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: #U0160iauliai.dll

Static PE information: section name: _RDATA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_02BE0C45 push ebx; retf	5_2_02BE0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_059CFEF0 push es; ret	5_2_059CFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_06945150 push es; ret	5_2_06945160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB99 push es; iretd	5_2_0694FBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FBDD push es; iretd	5_2_0694FBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FBCD push es; iretd	5_2_0694FBDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FBC9 push es; iretd	5_2_0694FBCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB21 push es; iretd	5_2_0694FB24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB55 push es; iretd	5_2_0694FB5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB44 push es; iretd	5_2_0694FB54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB71 push es; iretd	5_2_0694FB7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB7D push es; iretd	5_2_0694FB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_0694FB6D push es; iretd	5_2_0694FB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F00C53 push ebx; retf	10_2_00F00C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_00F00C45 push ebx; retf	10_2_00F00C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_062CFE30 push es; ret	10_2_062CFE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06414D50 push es; ret	10_2_06414D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_0641FAF0 push es; ret	10_2_0641FAF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_02C60C45 push ebx; retf	12_2_02C60C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_067CFEF0 push es; ret	12_2_067CFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_06915150 push es; ret	12_2_06915160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB99 push es; iretd	12_2_0691FBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FBDD push es; iretd	12_2_0691FBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FBC9 push es; iretd	12_2_0691FBCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FBCD push es; iretd	12_2_0691FBDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB10 push es; iretd	12_2_0691FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB21 push es; iretd	12_2_0691FB24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB55 push es; iretd	12_2_0691FB5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB44 push es; iretd	12_2_0691FB54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB71 push es; iretd	12_2_0691FB7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0691FB7D push es; iretd	12_2_0691FB88

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: F40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1630000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3130000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1190000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4BE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3210000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F30000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 728	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2397	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 505

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2276	Thread sleep count: 2657 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2276	Thread sleep count: 728 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2948	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3704	Thread sleep count: 2397 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3704	Thread sleep count: 784 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1008	Thread sleep time: -98204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2992	Thread sleep count: 2789 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2992	Thread sleep count: 207 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99651s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3700	Thread sleep time: -98214s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7656	Thread sleep count: 505 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -99860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -99717s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7656	Thread sleep count: 307 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -99609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -99500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -99380s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -98235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98214	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: loaddll64.exe, 00000000.00000002.3398180203.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2123492398.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2123568786.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.2153843209.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2182407016.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2239996453.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2244187618.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2216332111.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2240006114.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2221522413.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2246794538.00007FFD942D6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: InstallUtil.exe, 0000000A.00000002.2329955342.0000000005CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: AddInProcess32.exe, 00000005.00000002.2189942298.0000000006351000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.2332852396.00000000060F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DF4008	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8D5008	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EB008	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CD6008	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8BE008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 9F8008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F8D008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: BA0008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E9E008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 98C008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D7C008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 80B008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 10E1008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AA9008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C1008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D74008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F4B008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 342008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6D8008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 9FD008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: EEA008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 84D008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E0D008
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 627008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\#U0160iauliai.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFD942CFF8C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFD942CFF8C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 32.2.rundll32.exe.21e98c75501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d60aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f28aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade143aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e8aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db608aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b4aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e83aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f283aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db60875501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad43aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e454aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade1475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d341475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d34143aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d2243aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebcaff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28caff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d3414aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f2875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade1475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d34143aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b24475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.29977875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d3414aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d224aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e875501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e454aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f0aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f28aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211caff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad4aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade143aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211caff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bcaff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade14aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f03aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c75501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e45475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.223718aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db6083aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.223718aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.22371875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d603aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2caff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d2243aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f075501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e875501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d603aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bcaff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b4aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.2997783aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.299778aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f075501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f2875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b244aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d6075501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20407075501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e4543aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade14aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b43aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d60aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2237183aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.204070aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db6083aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e45475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2caff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d224aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.22371875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.299778aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586acaff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98caff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586acaff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db608aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e83aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b43aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.29977875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.2997783aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.204070aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac75501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98caff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e4543aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f283aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62caff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d6075501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28caff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b2443aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f03aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f0aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2040703aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2040703aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b244aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d22475501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c3aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2237183aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20407075501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b24475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d341475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b2443aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e8aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac75501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d22475501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db60875501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62caff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2242677804.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2242677804.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2223392161.000001FEE2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2226705541.000001D06BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2225130467.000001E95B400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2240276888.000001EB28C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2242677804.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2240731961.000001E5EBC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2240224279.000001E211C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2240351092.000002A3AD400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7208, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 32.2.rundll32.exe.21e98c75501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d60aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f28aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade143aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e8aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db608aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b4aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e83aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f283aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db60875501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad43aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d3414aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e454aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade1475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d341475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d34143aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d2243aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebcaff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28caff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f2875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade1475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d34143aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b24475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.29977875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d3414aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d224aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e875501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e454aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f0aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f28aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211caff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad4aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade143aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211caff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bcaff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade14aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f03aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c75501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e45475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.223718aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db6083aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.223718aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.22371875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d603aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2caff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d2243aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f075501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e875501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d603aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bcaff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b4aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.2997783aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.299778aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f075501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f2875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b244aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d6075501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20407075501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e4543aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade14aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b43aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d60aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2237183aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.204070aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db6083aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e45475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2caff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d224aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.22371875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.299778aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586acaff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98caff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586acaff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db608aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e83aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b43aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.29977875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.2997783aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.204070aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac75501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98caff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e4543aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f283aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62caff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d6075501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28caff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b2443aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f03aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f0aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2040703aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2040703aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b244aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d22475501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c3aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2237183aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20407075501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b24475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d341475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b2443aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e8aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac75501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d22475501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db60875501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62caff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2242677804.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2223392161.000001FEE2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2226705541.000001D06BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2225130467.000001E95B400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2240276888.000001EB28C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2240731961.000001E5EBC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2240224279.000001E211C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2240351092.000002A3AD400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7208, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 32.2.rundll32.exe.21e98c75501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d60aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f28aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade143aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e8aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db608aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b4aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e83aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f283aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db60875501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad43aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e454aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade1475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d341475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d34143aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d2243aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebcaff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28caff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d3414aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f2875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade1475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d34143aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b24475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.29977875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d3414aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d224aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e875501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e454aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f0aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f28aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211caff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad4aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade143aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211caff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bcaff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade14aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f03aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebcaff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c75501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e45475501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.223718aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db6083aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.223718aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.22371875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d603aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2caff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d2243aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f075501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e875501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d603aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bcaff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b4aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.2997783aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.299778aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f075501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c75501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f2875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b244aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d6075501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20407075501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e4543aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2ade14aff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b43aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d60aff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2237183aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.204070aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db6083aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e45475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2caff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d224aff40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc3aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.22371875501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.299778aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586acaff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c3aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98caff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586acaff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db608aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62c75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e83aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b43aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.29977875501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.2997783aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.204070aff40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac75501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98caff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.15e4543aab5.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.212f283aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62caff40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c3aab5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc3aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.240d6075501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.rundll32.exe.1e5ebc3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.rundll32.exe.21e98c3aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28caff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b2443aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.1d06bc75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f03aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad43aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.20f5f0aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.1e95b475501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2040703aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2040703aab5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.2a3ad4aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b244aff40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d22475501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c3aab5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2237183aab5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20407075501.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b24475501.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.2d341475501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.1fee2c75501.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.21b2443aab5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.26e8e8aff40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2586ac75501.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.26d22475501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.rundll32.exe.1db60875501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.1de62caff40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.1e211c75501.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.1eb28c75501.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2242677804.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2242677804.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2122849521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2223392161.000001FEE2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2239877416.0000026D22400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2236601280.0000022371800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2226705541.000001D06BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2220478952.000001DB60800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2235949925.0000029977800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2123118942.000002586AC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2239622733.00000240D6000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2225130467.000001E95B400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2240276888.000001EB28C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2242677804.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2240731961.000001E5EBC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152884734.0000015E45400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2225117056.000001DE62C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2242597580.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2123144246.0000020407000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2240400264.0000021E98C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2240224279.000001E211C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2215391513.0000020F5F000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2220365924.0000026E8E800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2240361897.000002ADE1400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2240351092.000002A3AD400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184237650.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2181624470.0000021B24400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2240490951.000002D341400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2236830094.00000212F2800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7208, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	25 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Rundll32	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U0160iauliai.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
#U0160iauliai.dll