Analysis Report XopHMqjs5a.bin

Overview

General Information

Sample Name: XopHMqjs5a.bin (renamed file extension from bin to dll)
Analysis ID: 358602
MD5: 49786eae402075152fbbe8cd4b69545e
SHA1: 58ce5b72ce7d72572da76c12d1db0a9a68b40004
SHA256: e14e8fe43636dab896cbb6f65e3389e41f999f1a52e813bc5469d8ed61de1aae
Tags: aptComRATturla
Infos:

Most interesting Screenshot:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: XopHMqjs5a.dll Virustotal: Detection: 43% Perma Link
Source: XopHMqjs5a.dll Metadefender: Detection: 18% Perma Link
Source: XopHMqjs5a.dll ReversingLabs: Detection: 62%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D423610 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 2_2_00007FFA7D423610

Compliance:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: XopHMqjs5a.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbtP# source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbqP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb## source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb!P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb## source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb@P? source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb}P< source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbXP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: win32u.pdbVP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbLP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdbSP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb0 source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: UxTheme.pdbUP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb"P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb{P& source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdbrP- source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbIP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb_P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: nsi.pdbGP2 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\.jenkins\workspace\C4\agent\browser_dll\Build\x64\wininet_2017.pdb source: rundll32.exe, 00000002.00000003.232676952.00000194BF296000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483336856.000001DFEFCE8000.00000002.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb~P9 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbJP5 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE3A38 FindFirstFileExW, 3_2_000001DFEFCE3A38
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD8AE0 InternetReadFile,_realloc_dbg,InternetCloseHandle, 3_2_000001DFEFCD8AE0
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/G
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt05
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rundll32.exe, 00000002.00000002.263303161.00007FFA7D430000.00000002.00020000.sdmp, XopHMqjs5a.dll String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: rundll32.exe, 00000002.00000002.259812443.00000194C1100000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259949116.00000194C1300000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000002.485264309.000001DFF24C0000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/Logout?continue
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000002.485264309.000001DFF24C0000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtm
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=mail&amp;passive=true&amp;rm=false&amp;continue=htt
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.go
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/SignUp?service
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB&amp;privacy=true
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB
Source: rundll32.exe, 00000002.00000002.259812443.00000194C1100000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB&privacy=true
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB&privacy=trueXd(wQNmvb);
Source: rundll32.exe, 00000002.00000002.259812443.00000194C1100000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB&privacy=trueb
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GBmouseenter:tfO1Yc;
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: https://accounts.google.com/vZN6(
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp String found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmp String found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com/js/base.js
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://g.co/recover
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/W
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp String found in binary or memory: https://mail.google.com/mail/?ui
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: https://mail.google.com/mail/?ui%3Dhtml%26zy%3Dg&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: https://mail.google.com/mail/?ui%3Dhtml%26zy%3Dg&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=13
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mail/?ui=html&zy=g
Source: iexplore.exe, 00000003.00000002.483540336.000001DFF05BC000.00000004.00000020.sdmp String found in binary or memory: https://mail.google.com/mail/?ui=html&zy=gD
Source: iexplore.exe, 00000003.00000002.483540336.000001DFF05BC000.00000004.00000020.sdmp String found in binary or memory: https://mail.google.com/mail/?ui=html&zy=gesws
Source: iexplore.exe, 00000003.00000002.483540336.000001DFF05BC000.00000004.00000020.sdmp String found in binary or memory: https://mail.google.com/mail/?ui=html&zy=ggram
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mail/?ui=html&zy=gx
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidprofileupgrade_all_set.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_accounts.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_familylink.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_privacy.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_two_bikes.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/account.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/family.svg
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/personal.svg
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/privacy.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/safe.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify-email.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.en_GB.nzDRJirklLU.O/am=B4LYoYIGNAAIQ
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl.gstatic.com/ui/v1/activityindicator/loading.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/accounts?hl=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/accounts?hl=en-GB
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp String found in binary or memory: https://support.google.com/accounts?hl=en-GBy
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp String found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing&hl=en-GB
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp String found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing&hl=en-GB1S
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6130773
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/families/answer/7101025
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/gmail/
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/settings/hatsv2
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D31EE20 2_2_00007FFA7D31EE20
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D316660 2_2_00007FFA7D316660
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3E17BC 2_2_00007FFA7D3E17BC
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D31F6C0 2_2_00007FFA7D31F6C0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3AB6C0 2_2_00007FFA7D3AB6C0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D32F762 2_2_00007FFA7D32F762
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D31C210 2_2_00007FFA7D31C210
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3728E0 2_2_00007FFA7D3728E0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D321140 2_2_00007FFA7D321140
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3D7CC0 2_2_00007FFA7D3D7CC0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30FD8D 2_2_00007FFA7D30FD8D
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30FD5B 2_2_00007FFA7D30FD5B
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30FD63 2_2_00007FFA7D30FD63
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30FD6B 2_2_00007FFA7D30FD6B
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D335880 2_2_00007FFA7D335880
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30A090 2_2_00007FFA7D30A090
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D426070 2_2_00007FFA7D426070
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3F871C 2_2_00007FFA7D3F871C
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3ECFA4 2_2_00007FFA7D3ECFA4
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30A750 2_2_00007FFA7D30A750
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30AF70 2_2_00007FFA7D30AF70
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3ED224 2_2_00007FFA7D3ED224
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3D7A30 2_2_00007FFA7D3D7A30
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D324A80 2_2_00007FFA7D324A80
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D36D250 2_2_00007FFA7D36D250
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3E88E4 2_2_00007FFA7D3E88E4
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30CC00 2_2_00007FFA7D30CC00
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30BC10 2_2_00007FFA7D30BC10
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D314410 2_2_00007FFA7D314410
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D310CA0 2_2_00007FFA7D310CA0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30DC3B 2_2_00007FFA7D30DC3B
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30DC43 2_2_00007FFA7D30DC43
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30DC4B 2_2_00007FFA7D30DC4B
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D30DC68 2_2_00007FFA7D30DC68
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D425AC0 2_2_00007FFA7D425AC0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3202D0 2_2_00007FFA7D3202D0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3E8398 2_2_00007FFA7D3E8398
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D327BB0 2_2_00007FFA7D327BB0
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD94E0 3_2_000001DFEFCD94E0
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD44E0 3_2_000001DFEFCD44E0
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE0450 3_2_000001DFEFCE0450
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE7068 3_2_000001DFEFCE7068
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD57D0 3_2_000001DFEFCD57D0
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCDB750 3_2_000001DFEFCDB750
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD3360 3_2_000001DFEFCD3360
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD5EB0 3_2_000001DFEFCD5EB0
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD8220 3_2_000001DFEFCD8220
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCD5230 3_2_000001DFEFCD5230
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFA7D32A3E0 appears 39 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFA7D322D60 appears 41 times
One or more processes crash
Source: unknown Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6572 -s 552
Yara signature match
Source: 00000002.00000002.263563049.00007FFA7D4BB000.00000008.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: classification engine Classification label: mal68.evad.winDLL@8/5@0/0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D31CA70 LookupPrivilegeValueA,GetLastError,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,AdjustTokenPrivileges,CloseHandle,GetLastError, 2_2_00007FFA7D31CA70
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D325B30 GetLastError,LookupPrivilegeValueW,GetCurrentProcess,AdjustTokenPrivileges, 2_2_00007FFA7D325B30
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6572
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\FXSAPIDebugTrace.txt Jump to behavior
Source: XopHMqjs5a.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP
Source: XopHMqjs5a.dll Virustotal: Detection: 43%
Source: XopHMqjs5a.dll Metadefender: Detection: 18%
Source: XopHMqjs5a.dll ReversingLabs: Detection: 62%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\XopHMqjs5a.dll'
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,VFEP
Source: unknown Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6572 -s 552
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,VFEP Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe Jump to behavior
Source: XopHMqjs5a.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: XopHMqjs5a.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: XopHMqjs5a.dll Static file information: File size 2646528 > 1048576
Source: XopHMqjs5a.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x18ea00
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: XopHMqjs5a.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: XopHMqjs5a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbtP# source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbqP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb## source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb!P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb## source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb@P? source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb}P< source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbXP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: win32u.pdbVP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbLP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdbSP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb0 source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: UxTheme.pdbUP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb"P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb{P& source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdbrP- source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbIP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb_P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: nsi.pdbGP2 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\.jenkins\workspace\C4\agent\browser_dll\Build\x64\wininet_2017.pdb source: rundll32.exe, 00000002.00000003.232676952.00000194BF296000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483336856.000001DFEFCE8000.00000002.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb~P9 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbJP5 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3B05A0 LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 2_2_00007FFA7D3B05A0
PE file contains sections with non-standard names
Source: XopHMqjs5a.dll Static PE information: section name: .l2
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\System32\rundll32.exe Section loaded: OutputDebugStringW count: 230
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 2_2_00007FFA7D3B05A0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\rundll32.exe Thread delayed: delay time: 3600000 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 6556 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE3A38 FindFirstFileExW, 3_2_000001DFEFCE3A38
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmp Binary or memory string: Pp8oFj+lG8+ykuJrM2lzTDs6A8+urtWwVAxGrv6gC256c/1Y373XPV7eO/Mmw3YBzr8DZqWVWL7aDn1cRGqYEVkqodnhCHxv61YS+MxZ+FOyT51gRJ0AETo1Aq9A12xznBDMLAM7yccLpxN7FyamEDUbfXbLfEncTzhtt8Zb50gW1dvSb4bLk5aL9PaApIESP0AQFq7FZKOD5lKC5OLGu6dVIYJjhoMD33n8osi3zRvo6XWiKaeGB3rkB396qtpy/x1ynxvMQS5SDAPZL3nFLE8kVUkfynAMDCLGZKskz3MkpnvArw9FUxe6qAxJBA/+p7FH+dAukwkCkdeQKl9Lxc02yvvxBKLw2gW+i2xel6ec2aJf/RnW/FfPjuyj0edTnHo5KzyAumip/qTxM7e8Hmj73DBeHxprtcoPffcHdoDVb7bwqz8KGqoFCloEW6W3L7Xy7lgwmMwFEam98R5nr1HtWs0ywZNoSiFvBEiYRqJRAWbOj+kE8u+HTrWlo3IVUlpV8G2rcrNiWAT3qr2b8Wm6QAOI4S2ek+l5nrHjvKzkhaWrEW4UDZ6dAe7u2aSTf1Kxj3yRkWeWslp2ulyrozkstVrk1bVv9jIQMWO9GkYdF6OEkMk5MwCQjFjPaTLbev5TVt2hfYyiCwYnuH50IECs5WtyNU5LyB7y5HTfkqvylLWgN465navSnuPKmxdLZ4hmqW0tSAnKy/EWU4YMI5HJarXan8s3D3BpVJ19SaybX8lj4tgu/rZQbvQItjQ5l9h3SsU5fRegd1eN2nfV/+pbCFppJE1wp5reu2L/JrhkA3Obxa72lhVBPqT9vPtWPkb53cbcrxyEVxxqIsG0t453vKvncbQ+daKs25W0yDqlY6t4ua42N408DFTp787RwNH+z9MHgZ+pl0z+8fMtkFtqOGTyvs1h/CX4HQPioKm4LOsyEByQRQtPCOUjKkGsW2eqdQMnhQKbiMgeCcA+hdKez/0+yh3f1jo6XUhRHnFme2oD5corqV2nZmgoF0cRp7nkhjmLdIcFHuetXKN0AqMTsvZRp2oQKxl13PNPD8KV0s3yiMyMLmGNXy2mFSapXut2SL1252EdkuQC1Shj+CVlEdAMFB1YSeXEGqOxHAMqpEjUm32UQOn9w6EPtyNuL/BT6cGcfYfLj7TaoAES25rLuM+8dnpN9JQIJttNHsN9bGYpdQ1fkasI0Z69FiLV+ku6K8+xgU7ecN7fX9uj5BVb6wQX+AB+Dw33LnD1nUxx0d8c8n2bnt3HYiIbrsLJG66izcYM+zAjaOaV8vzyUFohZAzk08wLPpgythw9+YVnTvWDrvcrh03u/Kibzq2hM6w42TwMx2BPRbSK9CVpD9KxopOTUKdWwFEYYYG/ZbnlHebR+7ZkZyu6/w71IEC9YSonNyoqJI984GrgC2EjrpbfgkHdRq5e3/Ub3W8NeL7VYhjtFt5+dBxOO/ecDnGP/5sRCPSrUCmec2j7/aUa4Ilhre2bKhjutLU/Sjw4uANhUijg7Ijx0yEcXEnlnWbZ01fN86p62N8EeFrtDEMGnR/jYm6x9ytVWWD6PI8Y84TC57PeLs3hK8KJQ6SYAcXFx+dVK1Mb8DmJM1pZQQdfVQ3IInOLcDRv+rE8VH1aG/cpP+GBFUTsQO+7xWx9pJZSDVlT0GHBc2ayUJ3ZGAvoiexMGR4mgDNm4thrvHNKp02t+6yj3omFM+cgSBZ6x1cI1mCrjRHgfsmzIEL4AXa/AyAox/YwfMiP1Qvrj7KQTQ9Rjjbu+zUKxf0FTNqePdihvzUTFXPERWA6E0Kb1CJ3cC7gU8lLdSrYO1thrT0kiqyl8hL1Anck8kR8oDNRaNDKPsg10xRtXWFr/P7USHQ+fZZuEenftG9wj0p92W6/GLcxgaZCP0JcJhjRhWNWLaeUqQrKGcJSM4ZWtI+VblxIVSx6UZDnU1XIoqJY1pK+JhcEx7qYS/iy42FaaaYtbwmpOnx+jLrjemtTEd+XdQumuOqMPdkqqM4RMuw0NWeuBk1eemiSQVBJ2JMj7EQJHbQRq/JLF5mWEVeoHkgqbmH4n7AleP+C0mAUXsMUQMdJVI4sxA5Z/lJgGGJZJ9X+fwUtNc6RPDhZZFwgGEwM0DWIuxYx5E6L1gYUk//L18vYnNjZnJhbWU&quot;,null,null,null,null,null,null,null,&quot;ChUIuZTprvuutZslENChuJeF/enOiwE\u003d&quot;,&quot;en-GB&quot;,null,3,&quot;Northern Europe&quot;,2,null,&quot;6176295920541871976&quot;,null,[]]" data-initial-sign-in-data="%.@.&quot;gf.isid&quot;,[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[],[28,10,20,22,29,6],null,&quot;AEThLlzoptESFx0fgJEPdd46NEqValN8UAuDb2iaIwyGcPdAQ8rzSbsY0wFyMB4ufOn-kl2ycY7ApofCrET7slcO5caqFWiIy6HdTLeodMSyxGBLV6bjrzRQgQEFEuMzLjiRUcvqSdyZJgiGlCq9SdjTEbFtTy_AnRJCYIYWap0KRGjkLUoSCgcnkfr8LdRtbR0BfJQnbzxw&quot;,[[]]]"><div jscontroller="YmeC5c" jsaction="click:jKoJid(preventDefault=true|DPJEMd),rYhRle(preventDefault=true|RTjbJ),WZ2Bje(Cuz2Ue);wMghFb:WWkjY;jiqeKb:UHZ0U;u3KAb:UHZ0U;CINcEf:IjS5bf;sPvj8e:XyQaue;rcuQ6b:WYd;" jsname="
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWOE)
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmp, WerFault.exe, 00000009.00000002.255925998.000001D141360000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3D41C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFA7D3D41C8
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3B05A0 LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 2_2_00007FFA7D3B05A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE1D44 GetProcessHeap, 3_2_000001DFEFCE1D44
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3D41C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFA7D3D41C8
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3CF494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFA7D3CF494
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCDB588 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000001DFEFCDB588
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE0030 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000001DFEFCE0030
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE76FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000001DFEFCE76FC

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFCD0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD00000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD10000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD20000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD30000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD40000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD50000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD60000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD70000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD80000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD90000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDA0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDB0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDC0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDD0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDE0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDF0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE00000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE10000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE20000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE30000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE40000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE50000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE60000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE70000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE80000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE90000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEA0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEB0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEC0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFED0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEE0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEF0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF00000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF10000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF20000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF30000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF40000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF50000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF60000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF70000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF80000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF90000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFA0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFB0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFC0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFD0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFE0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFF0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0000000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0010000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0020000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0030000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0040000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0050000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0060000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0070000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0080000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0090000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00A0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00B0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00C0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00D0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00E0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00F0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0100000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0110000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0120000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0130000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0140000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0150000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0160000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0170000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0180000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0190000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01A0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01B0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01C0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01D0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01E0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01F0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0200000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0210000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0220000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0230000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0240000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0250000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0260000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0270000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0280000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0290000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02A0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02B0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02C0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02D0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02E0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02F0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0300000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0310000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0320000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0330000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0340000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0350000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0360000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0370000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0380000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0390000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03A0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03B0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03C0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03D0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03E0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03F0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0400000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0410000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0420000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0430000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0440000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0450000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0460000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0470000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0480000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0490000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04A0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04B0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04C0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04D0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04E0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04F0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0500000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0510000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0520000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0530000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0540000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0550000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0560000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0570000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0580000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0590000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF05A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD00000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread created: C:\Program Files\internet explorer\iexplore.exe EIP: F05A0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread created: C:\Program Files\internet explorer\iexplore.exe EIP: EFD00000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread created: C:\Program Files\internet explorer\iexplore.exe EIP: EFCD6F90 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFCD0000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD10000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD30000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD50000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD70000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD90000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDB0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDD0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDF0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE10000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE30000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE50000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE70000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE90000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEB0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFED0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEF0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF10000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF30000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF50000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF70000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF90000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFB0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFD0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFF0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0010000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0030000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0050000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0070000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0090000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00B0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00D0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00F0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0110000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0130000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0150000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0170000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0190000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01B0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01D0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01F0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0210000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0230000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0250000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0270000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0290000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02B0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02D0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02F0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0310000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0330000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0350000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0370000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0390000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03B0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03D0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03F0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0410000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0430000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0450000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0470000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0490000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04B0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04D0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04F0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0510000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0530000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0550000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0570000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0590000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF05A0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFCD0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe Jump to behavior
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files\internet explorer\iexplore.exe Code function: 3_2_000001DFEFCE6E10 cpuid 3_2_000001DFEFCE6E10
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\rundll32.exe Code function: try_get_function,GetLocaleInfoW, 2_2_00007FFA7D3EA864
Source: C:\Windows\System32\rundll32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW, 2_2_00007FFA7D3F871C
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00007FFA7D3F8F84
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 2_2_00007FFA7D3F8A7C
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 2_2_00007FFA7D3EA164
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00007FFA7D3F9160
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 2_2_00007FFA7D3F8B4C
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D3EA8E8 try_get_function,GetSystemTimeAsFileTime, 2_2_00007FFA7D3EA8E8
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_00007FFA7D325830 GetVersionExW,GetModuleHandleW,GetProcAddress, 2_2_00007FFA7D325830
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358602 Sample: XopHMqjs5a.bin Startdate: 25/02/2021 Architecture: WINDOWS Score: 68 18 Multi AV Scanner detection for submitted file 2->18 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 2 1 7->9         started        12 rundll32.exe 7->12         started        signatures5 20 Writes to foreign memory regions 9->20 22 Allocates memory in foreign processes 9->22 24 Tries to delay execution (extensive OutputDebugStringW loop) 9->24 26 2 other signatures 9->26 14 WerFault.exe 20 9 9->14         started        16 iexplore.exe 6 9->16         started        process6
No contacted IP infos