Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report XopHMqjs5a.bin

Overview

General Information

Sample Name:XopHMqjs5a.bin (renamed file extension from bin to dll)
Analysis ID:358602
MD5:49786eae402075152fbbe8cd4b69545e
SHA1:58ce5b72ce7d72572da76c12d1db0a9a68b40004
SHA256:e14e8fe43636dab896cbb6f65e3389e41f999f1a52e813bc5469d8ed61de1aae
Tags:aptComRATturla
Infos:

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll64.exe (PID: 6552 cmdline: loaddll64.exe 'C:\Users\user\Desktop\XopHMqjs5a.dll' MD5: 40E30D559A47CDA935973FA18C34ABA6)
    • rundll32.exe (PID: 6572 cmdline: rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP MD5: 73C519F050C20580F8A62C849D49215A)
      • iexplore.exe (PID: 6756 cmdline: c:\program files\internet explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • WerFault.exe (PID: 7004 cmdline: C:\Windows\system32\WerFault.exe -u -p 6572 -s 552 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6856 cmdline: rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,VFEP MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.263563049.00007FFA7D4BB000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1846e:$xo1: \x8A\xB6\xB7\xAD\xFE\xAE\xAC\xB1\xB9\xAC\xBF\xB3\xFE\xBD\xBF\xB0\xB0\xB1\xAA\xFE\xBC\xBB\xFE\xAC\xAB\xB0\xFE\xB7\xB0\xFE\x9A\x91\x8D\xFE\xB3\xB1\xBA\xBB
  • 0x3666e:$xo1: Fz{a2b`}u`s\x7F2qs||}f2pw2`g|2{|2V]A2\x7F}vw

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: XopHMqjs5a.dllVirustotal: Detection: 43%Perma Link
Source: XopHMqjs5a.dllMetadefender: Detection: 18%Perma Link
Source: XopHMqjs5a.dllReversingLabs: Detection: 62%
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D423610 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

Compliance:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: XopHMqjs5a.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbolsShow sources
Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbtP# source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbqP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb## source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb!P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb## source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb@P? source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb}P< source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbXP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: win32u.pdbVP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbLP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdbSP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb0 source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: UxTheme.pdbUP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb"P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb{P& source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdbrP- source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbIP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb_P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: nsi.pdbGP2 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\.jenkins\workspace\C4\agent\browser_dll\Build\x64\wininet_2017.pdb source: rundll32.exe, 00000002.00000003.232676952.00000194BF296000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483336856.000001DFEFCE8000.00000002.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb~P9 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbJP5 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE3A38 FindFirstFileExW,
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD8AE0 InternetReadFile,_realloc_dbg,InternetCloseHandle,
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/G
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt05
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rundll32.exe, 00000002.00000002.263303161.00007FFA7D430000.00000002.00020000.sdmp, XopHMqjs5a.dllString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: rundll32.exe, 00000002.00000002.259812443.00000194C1100000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259949116.00000194C1300000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000002.485264309.000001DFF24C0000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/Logout?continue
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000002.485264309.000001DFF24C0000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtm
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=mail&amp;passive=true&amp;rm=false&amp;continue=htt
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.go
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/SignUp?service
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB&amp;privacy=true
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB
Source: rundll32.exe, 00000002.00000002.259812443.00000194C1100000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB&privacy=true
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB&privacy=trueXd(wQNmvb);
Source: rundll32.exe, 00000002.00000002.259812443.00000194C1100000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GB&privacy=trueb
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/TOS?loc=GB&hl=en-GBmouseenter:tfO1Yc;
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: https://accounts.google.com/vZN6(
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmpString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmpString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com/js/base.js
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://g.co/recover
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/W
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmpString found in binary or memory: https://mail.google.com/mail/?ui
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: https://mail.google.com/mail/?ui%3Dhtml%26zy%3Dg&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: https://mail.google.com/mail/?ui%3Dhtml%26zy%3Dg&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=13
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail/?ui=html&zy=g
Source: iexplore.exe, 00000003.00000002.483540336.000001DFF05BC000.00000004.00000020.sdmpString found in binary or memory: https://mail.google.com/mail/?ui=html&zy=gD
Source: iexplore.exe, 00000003.00000002.483540336.000001DFF05BC000.00000004.00000020.sdmpString found in binary or memory: https://mail.google.com/mail/?ui=html&zy=gesws
Source: iexplore.exe, 00000003.00000002.483540336.000001DFF05BC000.00000004.00000020.sdmpString found in binary or memory: https://mail.google.com/mail/?ui=html&zy=ggram
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail/?ui=html&zy=gx
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidprofileupgrade_all_set.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_accounts.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_familylink.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_privacy.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_two_bikes.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/account.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/family.svg
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/personal.svg
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/privacy.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/safe.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify-email.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.en_GB.nzDRJirklLU.O/am=B4LYoYIGNAAIQ
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/ui/v1/activityindicator/loading.svg
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/accounts?hl=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/accounts?hl=en-GB
Source: rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmpString found in binary or memory: https://support.google.com/accounts?hl=en-GBy
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmpString found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing&hl=en-GB
Source: rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmpString found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing&hl=en-GB1S
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6130773
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/families/answer/7101025
Source: iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/gmail/
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/settings/hatsv2
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D31EE20
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D316660
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3E17BC
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D31F6C0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3AB6C0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D32F762
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D31C210
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3728E0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D321140
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3D7CC0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30FD8D
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30FD5B
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30FD63
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30FD6B
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D335880
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30A090
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D426070
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3F871C
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3ECFA4
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30A750
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30AF70
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3ED224
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3D7A30
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D324A80
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D36D250
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3E88E4
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30CC00
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30BC10
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D314410
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D310CA0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30DC3B
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30DC43
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30DC4B
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D30DC68
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D425AC0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3202D0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3E8398
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D327BB0
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD94E0
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD44E0
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE0450
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE7068
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD57D0
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCDB750
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD3360
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD5EB0
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD8220
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCD5230
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFA7D32A3E0 appears 39 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFA7D322D60 appears 41 times
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6572 -s 552
Source: 00000002.00000002.263563049.00007FFA7D4BB000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: classification engineClassification label: mal68.evad.winDLL@8/5@0/0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D31CA70 LookupPrivilegeValueA,GetLastError,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,AdjustTokenPrivileges,CloseHandle,GetLastError,
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D325B30 GetLastError,LookupPrivilegeValueW,GetCurrentProcess,AdjustTokenPrivileges,
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6572
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\FXSAPIDebugTrace.txtJump to behavior
Source: XopHMqjs5a.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP
Source: XopHMqjs5a.dllVirustotal: Detection: 43%
Source: XopHMqjs5a.dllMetadefender: Detection: 18%
Source: XopHMqjs5a.dllReversingLabs: Detection: 62%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\XopHMqjs5a.dll'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,VFEP
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6572 -s 552
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,VFEP
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe
Source: XopHMqjs5a.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: XopHMqjs5a.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: XopHMqjs5a.dllStatic file information: File size 2646528 > 1048576
Source: XopHMqjs5a.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x18ea00
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: XopHMqjs5a.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: XopHMqjs5a.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbtP# source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbqP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb## source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb!P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_Win32.pdb source: loaddll64.exe, 00000001.00000003.230095856.00000194EBD24000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223624426.000001B8E6899000.00000004.00000001.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb## source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb@P? source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb}P< source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbXP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: win32u.pdbVP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbLP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdbSP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb0 source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: UxTheme.pdbUP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb"P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb{P& source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: wininet.pdbrP- source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbIP source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: F:\Dev\NetInjector\bin\Release\NetBootstrapper_x64.pdb source: loaddll64.exe, 00000001.00000003.230087540.00000194EBD2A000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.223618483.000001B8E689F000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb_P source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000009.00000003.244440116.000001D141271000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.245815738.000001D141D60000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.243903823.000001D14126B000.00000004.00000001.sdmp
Source: Binary string: nsi.pdbGP2 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\.jenkins\workspace\C4\agent\browser_dll\Build\x64\wininet_2017.pdb source: rundll32.exe, 00000002.00000003.232676952.00000194BF296000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483336856.000001DFEFCE8000.00000002.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb~P9 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbJP5 source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.245839067.000001D141D67000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000009.00000003.245775704.000001D141D61000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000009.00000003.243916936.000001D14127D000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000009.00000003.243912108.000001D141277000.00000004.00000001.sdmp
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3B05A0 LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: XopHMqjs5a.dllStatic PE information: section name: .l2
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)Show sources
Source: C:\Windows\System32\rundll32.exeSection loaded: OutputDebugStringW count: 230
Source: C:\Windows\System32\rundll32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3600000
Source: C:\Windows\System32\loaddll64.exe TID: 6556Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE3A38 FindFirstFileExW,
Source: iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpBinary or memory string: Pp8oFj+lG8+ykuJrM2lzTDs6A8+urtWwVAxGrv6gC256c/1Y373XPV7eO/Mmw3YBzr8DZqWVWL7aDn1cRGqYEVkqodnhCHxv61YS+MxZ+FOyT51gRJ0AETo1Aq9A12xznBDMLAM7yccLpxN7FyamEDUbfXbLfEncTzhtt8Zb50gW1dvSb4bLk5aL9PaApIESP0AQFq7FZKOD5lKC5OLGu6dVIYJjhoMD33n8osi3zRvo6XWiKaeGB3rkB396qtpy/x1ynxvMQS5SDAPZL3nFLE8kVUkfynAMDCLGZKskz3MkpnvArw9FUxe6qAxJBA/+p7FH+dAukwkCkdeQKl9Lxc02yvvxBKLw2gW+i2xel6ec2aJf/RnW/FfPjuyj0edTnHo5KzyAumip/qTxM7e8Hmj73DBeHxprtcoPffcHdoDVb7bwqz8KGqoFCloEW6W3L7Xy7lgwmMwFEam98R5nr1HtWs0ywZNoSiFvBEiYRqJRAWbOj+kE8u+HTrWlo3IVUlpV8G2rcrNiWAT3qr2b8Wm6QAOI4S2ek+l5nrHjvKzkhaWrEW4UDZ6dAe7u2aSTf1Kxj3yRkWeWslp2ulyrozkstVrk1bVv9jIQMWO9GkYdF6OEkMk5MwCQjFjPaTLbev5TVt2hfYyiCwYnuH50IECs5WtyNU5LyB7y5HTfkqvylLWgN465navSnuPKmxdLZ4hmqW0tSAnKy/EWU4YMI5HJarXan8s3D3BpVJ19SaybX8lj4tgu/rZQbvQItjQ5l9h3SsU5fRegd1eN2nfV/+pbCFppJE1wp5reu2L/JrhkA3Obxa72lhVBPqT9vPtWPkb53cbcrxyEVxxqIsG0t453vKvncbQ+daKs25W0yDqlY6t4ua42N408DFTp787RwNH+z9MHgZ+pl0z+8fMtkFtqOGTyvs1h/CX4HQPioKm4LOsyEByQRQtPCOUjKkGsW2eqdQMnhQKbiMgeCcA+hdKez/0+yh3f1jo6XUhRHnFme2oD5corqV2nZmgoF0cRp7nkhjmLdIcFHuetXKN0AqMTsvZRp2oQKxl13PNPD8KV0s3yiMyMLmGNXy2mFSapXut2SL1252EdkuQC1Shj+CVlEdAMFB1YSeXEGqOxHAMqpEjUm32UQOn9w6EPtyNuL/BT6cGcfYfLj7TaoAES25rLuM+8dnpN9JQIJttNHsN9bGYpdQ1fkasI0Z69FiLV+ku6K8+xgU7ecN7fX9uj5BVb6wQX+AB+Dw33LnD1nUxx0d8c8n2bnt3HYiIbrsLJG66izcYM+zAjaOaV8vzyUFohZAzk08wLPpgythw9+YVnTvWDrvcrh03u/Kibzq2hM6w42TwMx2BPRbSK9CVpD9KxopOTUKdWwFEYYYG/ZbnlHebR+7ZkZyu6/w71IEC9YSonNyoqJI984GrgC2EjrpbfgkHdRq5e3/Ub3W8NeL7VYhjtFt5+dBxOO/ecDnGP/5sRCPSrUCmec2j7/aUa4Ilhre2bKhjutLU/Sjw4uANhUijg7Ijx0yEcXEnlnWbZ01fN86p62N8EeFrtDEMGnR/jYm6x9ytVWWD6PI8Y84TC57PeLs3hK8KJQ6SYAcXFx+dVK1Mb8DmJM1pZQQdfVQ3IInOLcDRv+rE8VH1aG/cpP+GBFUTsQO+7xWx9pJZSDVlT0GHBc2ayUJ3ZGAvoiexMGR4mgDNm4thrvHNKp02t+6yj3omFM+cgSBZ6x1cI1mCrjRHgfsmzIEL4AXa/AyAox/YwfMiP1Qvrj7KQTQ9Rjjbu+zUKxf0FTNqePdihvzUTFXPERWA6E0Kb1CJ3cC7gU8lLdSrYO1thrT0kiqyl8hL1Anck8kR8oDNRaNDKPsg10xRtXWFr/P7USHQ+fZZuEenftG9wj0p92W6/GLcxgaZCP0JcJhjRhWNWLaeUqQrKGcJSM4ZWtI+VblxIVSx6UZDnU1XIoqJY1pK+JhcEx7qYS/iy42FaaaYtbwmpOnx+jLrjemtTEd+XdQumuOqMPdkqqM4RMuw0NWeuBk1eemiSQVBJ2JMj7EQJHbQRq/JLF5mWEVeoHkgqbmH4n7AleP+C0mAUXsMUQMdJVI4sxA5Z/lJgGGJZJ9X+fwUtNc6RPDhZZFwgGEwM0DWIuxYx5E6L1gYUk//L18vYnNjZnJhbWU&quot;,null,null,null,null,null,null,null,&quot;ChUIuZTprvuutZslENChuJeF/enOiwE\u003d&quot;,&quot;en-GB&quot;,null,3,&quot;Northern Europe&quot;,2,null,&quot;6176295920541871976&quot;,null,[]]" data-initial-sign-in-data="%.@.&quot;gf.isid&quot;,[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[],[28,10,20,22,29,6],null,&quot;AEThLlzoptESFx0fgJEPdd46NEqValN8UAuDb2iaIwyGcPdAQ8rzSbsY0wFyMB4ufOn-kl2ycY7ApofCrET7slcO5caqFWiIy6HdTLeodMSyxGBLV6bjrzRQgQEFEuMzLjiRUcvqSdyZJgiGlCq9SdjTEbFtTy_AnRJCYIYWap0KRGjkLUoSCgcnkfr8LdRtbR0BfJQnbzxw&quot;,[[]]]"><div jscontroller="YmeC5c" jsaction="click:jKoJid(preventDefault=true|DPJEMd),rYhRle(preventDefault=true|RTjbJ),WZ2Bje(Cuz2Ue);wMghFb:WWkjY;jiqeKb:UHZ0U;u3KAb:UHZ0U;CINcEf:IjS5bf;sPvj8e:XyQaue;rcuQ6b:WYd;" jsname="
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWOE)
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmp, WerFault.exe, 00000009.00000002.255925998.000001D141360000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.255945191.000001D141560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3D41C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3B05A0 LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE1D44 GetProcessHeap,
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3D41C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3CF494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCDB588 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE0030 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE76FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFCD0000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD00000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD10000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD20000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD30000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD40000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD50000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD60000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD70000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD80000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD90000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDA0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDB0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDC0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDD0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDE0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDF0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE00000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE10000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE20000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE30000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE40000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE50000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE60000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE70000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE80000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE90000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEA0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEB0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEC0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFED0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEE0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEF0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF00000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF10000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF20000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF30000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF40000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF50000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF60000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF70000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF80000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF90000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFA0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFB0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFC0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFD0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFE0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFF0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0000000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0010000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0020000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0030000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0040000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0050000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0060000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0070000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0080000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0090000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00A0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00B0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00C0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00D0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00E0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00F0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0100000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0110000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0120000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0130000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0140000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0150000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0160000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0170000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0180000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0190000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01A0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01B0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01C0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01D0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01E0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01F0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0200000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0210000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0220000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0230000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0240000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0250000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0260000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0270000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0280000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0290000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02A0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02B0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02C0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02D0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02E0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02F0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0300000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0310000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0320000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0330000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0340000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0350000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0360000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0370000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0380000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0390000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03A0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03B0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03C0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03D0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03E0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03F0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0400000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0410000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0420000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0430000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0440000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0450000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0460000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0470000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0480000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0490000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04A0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04B0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04C0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04D0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04E0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04F0000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0500000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0510000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0520000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0530000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0540000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0550000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0560000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0570000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0580000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0590000 protect: page read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFF05A0000 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD00000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\System32\rundll32.exeThread created: C:\Program Files\internet explorer\iexplore.exe EIP: F05A0000
Source: C:\Windows\System32\rundll32.exeThread created: C:\Program Files\internet explorer\iexplore.exe EIP: EFD00000
Source: C:\Windows\System32\rundll32.exeThread created: C:\Program Files\internet explorer\iexplore.exe EIP: EFCD6F90
Injects a PE file into a foreign processesShow sources
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFCD0000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD10000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD30000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD50000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD70000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD90000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDB0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDD0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFDF0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE10000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE30000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE50000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE70000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFE90000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEB0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFED0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFEF0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF10000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF30000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF50000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF70000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFF90000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFB0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFD0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFFF0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0010000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0030000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0050000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0070000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0090000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00B0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00D0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF00F0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0110000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0130000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0150000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0170000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0190000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01B0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01D0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF01F0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0210000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0230000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0250000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0270000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0290000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02B0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02D0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF02F0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0310000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0330000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0350000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0370000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0390000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03B0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03D0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF03F0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0410000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0430000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0450000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0470000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0490000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04B0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04D0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF04F0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0510000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0530000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0550000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0570000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF0590000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFF05A0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFCD0000
Source: C:\Windows\System32\rundll32.exeMemory written: C:\Program Files\internet explorer\iexplore.exe base: 1DFEFD00000
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmpBinary or memory string: Progman
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: iexplore.exe, 00000003.00000002.484482235.000001DFF0B30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Program Files\internet explorer\iexplore.exeCode function: 3_2_000001DFEFCE6E10 cpuid
Source: C:\Windows\System32\rundll32.exeCode function: try_get_function,GetLocaleInfoW,
Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D3EA8E8 try_get_function,GetSystemTimeAsFileTime,
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA7D325830 GetVersionExW,GetModuleHandleW,GetProcAddress,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion13OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection412Access Token Manipulation1LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection412Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358602 Sample: XopHMqjs5a.bin Startdate: 25/02/2021 Architecture: WINDOWS Score: 68 18 Multi AV Scanner detection for submitted file 2->18 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 2 1 7->9         started        12 rundll32.exe 7->12         started        signatures5 20 Writes to foreign memory regions 9->20 22 Allocates memory in foreign processes 9->22 24 Tries to delay execution (extensive OutputDebugStringW loop) 9->24 26 2 other signatures 9->26 14 WerFault.exe 20 9 9->14         started        16 iexplore.exe 6 9->16         started        process6

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
XopHMqjs5a.dll43%VirustotalBrowse
XopHMqjs5a.dll19%MetadefenderBrowse
XopHMqjs5a.dll62%ReversingLabsWin64.Trojan.Turla

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/G0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt050%Avira URL Cloudsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://crl.pki.goog/gsr21%VirustotalBrowse
http://crl.pki.goog/gsr20%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0rundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpfalse
    		high
    http://ocsp.pki.goog/gts1o1core0iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdrundll32.exe, 00000002.00000002.263303161.00007FFA7D430000.00000002.00020000.sdmp, XopHMqjs5a.dllfalse
      		high
      http://crl.pki.goog/GTS1O1core.crl0iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://pki.goog/gsr2/GTS1O1.crt0iexplore.exe, 00000003.00000002.483705599.000001DFF061C000.00000004.00000020.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://g.co/recoverrundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000003.238673662.000001DFF26C0000.00000004.00000001.sdmpfalse
        		high
        http://pki.goog/gsr2/Giexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pki.goog/gsr2/GTS1O1.crt05iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://accounts.youtube.com/accounts/CheckConnection?pmporundll32.exe, 00000002.00000002.260263571.00000194C1A9C000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.258828894.0000000D13E6B000.00000004.00000001.sdmp, rundll32.exe, 00000002.00000002.259219229.00000194BF293000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmp, iexplore.exe, 00000003.00000003.468612397.000001DFF065C000.00000004.00000001.sdmp, iexplore.exe, 00000003.00000002.483074977.00000072B44F7000.00000004.00000001.sdmpfalse
          		high
          http://crl.pki.goog/gsr2/gsr2.crl0?iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://ocsp.pki.goog/gsr202iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://pki.goog/repository/0iexplore.exe, 00000003.00000003.468641114.000001DFF05F5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://accounts.youtube.com/accounts/CheckConnectionrundll32.exe, 00000002.00000002.259064998.00000194BF1E8000.00000004.00000020.sdmpfalse
            		high
            http://crl.pki.goog/gsr2iexplore.exe, 00000003.00000002.483730348.000001DFF062E000.00000004.00000020.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:358602
            Start date:25.02.2021
            Start time:22:22:17
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 38s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:XopHMqjs5a.bin (renamed file extension from bin to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:30
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal68.evad.winDLL@8/5@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 100% (good quality ratio 90.5%)
            • Quality average: 64.9%
            • Quality standard deviation: 32.2%
            HCA Information:
            • Successful, ratio: 57%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 52.255.188.83, 204.79.197.200, 13.107.21.200, 168.61.161.212, 23.54.113.53, 13.88.21.125, 172.217.18.101, 142.250.180.77, 23.218.208.56, 51.104.139.180, 20.54.26.129, 51.103.5.186, 51.11.168.160, 92.122.213.247, 92.122.213.194
            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, mail.google.com, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, googlemail.l.google.com, skypedataprdcolwus15.cloudapp.net
            • Report size getting too big, too many NtSetInformationFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            22:23:02API Interceptor11x Sleep call for process: rundll32.exe modified
            22:23:08API Interceptor1x Sleep call for process: loaddll64.exe modified
            22:23:19API Interceptor1x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_Xop_9da2e3997a1c15633138daed762c79346e86c11_11c14f18_1b0b4d1f\Report.wer
            Process:C:\Windows\System32\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):11462
            Entropy (8bit):3.765303187129735
            Encrypted:false
            SSDEEP:192:wliyJKl93HeK13qjIoBz/u7sDS274ltYd:ei8KlleK16jTz/u7sDX4ltYd
            MD5:B27C2E539FD9B5F68C137F58864C06A3
            SHA1:52C0D18A456DB297DA7C22C516C6AAA5AE3352E3
            SHA-256:8B214D734A7AECDF35C6CB0F7DCE9F59C5C95A049A5398D5A2A96EFB90FA311D
            SHA-512:2E51B17CC009B42B15B2D0E7EBD3DD7BF784DB03DD4D78D03FAC0E2F8B83D38854EADB342461E53CDCDD1DD6D9511729416556D65F1109DA323D255272B7A9E4
            Malicious:false
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.7.9.4.1.9.5.2.0.6.4.0.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.7.9.4.1.9.7.1.5.9.5.2.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.0.3.e.7.0.7.-.b.e.d.3.-.4.f.3.d.-.a.a.c.1.-.a.6.8.9.1.4.e.1.5.1.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.1.b.9.7.0.4.-.0.2.e.c.-.4.4.3.1.-.a.d.9.f.-.8.3.2.7.4.5.1.1.b.7.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.X.o.p.H.M.q.j.s.5.a...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.c.-.0.0.0.1.-.0.0.1.6.-.e.8.2.9.-.8.0.d.5.0.7.0.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AFE.tmp.dmp
            Process:C:\Windows\System32\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Feb 26 06:23:15 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):86332
            Entropy (8bit):1.6137031286094825
            Encrypted:false
            SSDEEP:384:G0skghfXzng4eWTD/2td4tYS9PmTQo9fqCgP5:HsIm/2td4tYSXF5
            MD5:BA77DCAB0C82D32A8D797D84EC1062A9
            SHA1:F43D6CCD358BF7913C92CC895B033B7A8CB63529
            SHA-256:BCC0707298659AC0C8E218FFFB8520E4A841677E0F600C77D276B891D44EAF92
            SHA-512:CD493A2225703AAEBC881B8B84C3A2E49F8E393765DB914B98DD12A63F87508D49F9EAF78578C80567DB27E8162953DCCB3FEB3ED917980E64402BA76595EAE9
            Malicious:false
            Reputation:low
            Preview: MDMP....... ........8`...................U...........B..............Lw.................A....T............8`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.1.3.4...1.......................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D22.tmp.WERInternalMetadata.xml
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8722
            Entropy (8bit):3.7031757789933017
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNiTMYI6YW7d25gmf+MSFlCprQ89bOnHRdfSam:RrlsNi4YI6Yq6gmf+MS6Onxdfm
            MD5:B3EE4526167D529D3475692F12CFA1B4
            SHA1:619BAE47051D69593B2D5B7A2452894C3780A664
            SHA-256:0D149863F31A7DD2821549FFBB624EF94BDEE277B40A6F3F91FA282D46AE0130
            SHA-512:85A7EA97D82392044C2C3CBD761C9E9E6A32BD88460FE43081DD797861FC1D2A20497AA9E3CBC51282EAAA793BED5FBD02E3DB9F6A3EB37702443BD30D92EA8E
            Malicious:false
            Reputation:low
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.7.2.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E7B.tmp.xml
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4732
            Entropy (8bit):4.484066983094736
            Encrypted:false
            SSDEEP:48:cvIwSD8zsgJgtBI9MCWSC8Bm8fm8M4JCRCIzFQyq85mYYZESC5SYd:uITfmmDSNJJjjVvYd
            MD5:5CCB73BCDE0D536EA055D16FA150944B
            SHA1:B5E9F798C87258705CB72221DE0529ED000080B2
            SHA-256:BD749B0168BCD43E3951ADF4474459F93594FE9DF91EAE816D80597BD5596920
            SHA-512:AAA1304098ECC32CFD79EBF05B8F7C62BA09E76923B3B3AB50F16225CEDE8E820B2EEF56C7B918F1AA5A6649E1C7460CB4E2CA8B6C37708752F3DD95243D54F7
            Malicious:false
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="877893" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
            C:\Users\user\AppData\Local\Temp\FXSAPIDebugTrace.txt
            Process:C:\Windows\System32\rundll32.exe
            File Type:data
            Category:dropped
            Size (bytes):241152
            Entropy (8bit):7.971111697646354
            Encrypted:false
            SSDEEP:3072:bLengVqiaZ5r3Y92Y5MBqnPHEsKcHJMntvU2jqpUc:Xeg4iaHr3k23BQPHEEJYU2jCP
            MD5:7238A40F0D483EF0E5B4910546EA296B
            SHA1:21CD2BDF11A6421A97A1C4EED3A391D6780B20CD
            SHA-256:333A0B8B31208097D2D8C15D5ADFE6C325E5BDF097EF0C90C9A7DD4287ADCB61
            SHA-512:EB4AB5B775E85FDA14FAA8215F16862516768A956D5AD99DCD5926545E1BBF223C100709643F74510F67354F7C4F07574E25F2C4965A54A96144980F4CD500DD
            Malicious:false
            Reputation:low
            Preview: ..%......."....Qq.H<a......|/.E...t...p.....Z:}...{......|..._.Kp..|..*.S.@..5...*...b...0...G.:{.1>..$.C.8........soX .[..L...U:.^h.)p.vK1[....).`...I.N...[..U.~..=.E......R..'{. w!.....d....[..q....;.)&..I...WW8C....t.....:...Gg..=()-...h.....k..........AO.KH*./..S......(.!...W.rs.i.o..cr)8]...P.@.9.Tm.n.tyyZ.mI....W...l+.>.........+..wo..-....%3p..E...n^'.7..{.....+.v.%...o.Dz.W/......ub.>...#.b..{.#2....9...`.M...-H.....S,........0.4....x......q.st..f...W._...e.&._..A#...X.>....T.+.(..G...q.z+..j..-.Rr.i..tD...+..".O.9f..n....8Y.Z.p......`...E...r.l.m2.T.P......2:d..?........=... 'Z....d.V..:+ ..v-.(.}..5tW......x..y...J....0J..:..........'...I....K..=w]./..6+.>.w....(.=...B..... .....;.(..u.3E.6.z.....,.m<.Y...!.....7i&G.<M......Te7L....2).|.Z2..X..^.vt`.w.Y..... ......C.O[..'...p.t.j..L.............(*....t.4...B[62....G.@m.*..DHNq.3Z....n?..]BH@.3y'.S......O>Z.Q-..B}C..5...b7/?.....F~..4....<.\u.y*..+W......`... ..Y...)`..~.j$.Q.%......

            Static File Info

            General

            File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Entropy (8bit):6.4982220371601365
            TrID:
            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
            • Win64 Executable (generic) (12005/4) 10.17%
            • Generic Win/DOS Executable (2004/3) 1.70%
            • DOS Executable Generic (2002/1) 1.70%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
            File name:XopHMqjs5a.dll
            File size:2646528
            MD5:49786eae402075152fbbe8cd4b69545e
            SHA1:58ce5b72ce7d72572da76c12d1db0a9a68b40004
            SHA256:e14e8fe43636dab896cbb6f65e3389e41f999f1a52e813bc5469d8ed61de1aae
            SHA512:bc26092555f23842970da7a50d3cc47ed7090f85f239f3ff9e6289e9b3a34a0c80ed3673bccde0a3fb3160538514fe96cbf2ff4cadf41596b12b5c947aa80125
            SSDEEP:24576:2wwa7wJFqsF1Oi+tQLMEcDaMi2RMQwedBxuG5svR4zkFbpgks4OxbxTe9nJFfueo:dbP/TbcfJoyVOCpVetNJCdCOVaKE1
            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........I2KX(\.X(\.X(\.7LX.J(\.7L_.T(\.7LY..(\..@_.Q(\..@Y..(\..@X.x(\.7L].Q(\.X(]..(\.>@T.I(\.>@X.A(\.>@Y..(\.>@\.Y(\.>@..Y(\.>@^.Y(\

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x18012ff14
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x180000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0x5DDE274A [Wed Nov 27 07:35:38 2019 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:8a894dca0e2cdbfa32d08d1c9f01a11a

            Entrypoint Preview

            Instruction
            dec eax
            mov dword ptr [esp+08h], ebx
            dec eax
            mov dword ptr [esp+10h], esi
            push edi
            dec eax
            sub esp, 20h
            dec ecx
            mov edi, eax
            mov ebx, edx
            dec eax
            mov esi, ecx
            cmp edx, 01h
            jne 00007F0E84C9A697h
            call 00007F0E84C9AA58h
            dec esp
            mov eax, edi
            mov edx, ebx
            dec eax
            mov ecx, esi
            dec eax
            mov ebx, dword ptr [esp+30h]
            dec eax
            mov esi, dword ptr [esp+38h]
            dec eax
            add esp, 20h
            pop edi
            jmp 00007F0E84C9A524h
            int3
            int3
            int3
            inc eax
            push ebx
            dec eax
            sub esp, 20h
            dec eax
            mov ebx, ecx
            dec eax
            mov eax, edx
            dec eax
            lea ecx, dword ptr [000673A1h]
            dec eax
            mov dword ptr [ebx], ecx
            dec eax
            lea edx, dword ptr [ebx+08h]
            xor ecx, ecx
            dec eax
            mov dword ptr [edx], ecx
            dec eax
            mov dword ptr [edx+08h], ecx
            dec eax
            lea ecx, dword ptr [eax+08h]
            call 00007F0E84C9C089h
            dec eax
            lea eax, dword ptr [00078B69h]
            dec eax
            mov dword ptr [ebx], eax
            dec eax
            mov eax, ebx
            dec eax
            add esp, 20h
            pop ebx
            ret
            int3
            dec eax
            and dword ptr [ecx+10h], 00000000h
            dec eax
            lea eax, dword ptr [00078B60h]
            dec eax
            mov dword ptr [ecx+08h], eax
            dec eax
            lea eax, dword ptr [00078B45h]
            dec eax
            mov dword ptr [ecx], eax
            dec eax
            mov eax, ecx
            ret
            int3
            int3
            dec eax
            sub esp, 48h
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007F0E84C9A667h
            dec eax
            lea edx, dword ptr [000E9A2Fh]
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007F0E84C9AECAh
            int3
            jmp 00007F0E84CA40C8h
            int3
            int3

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x219bb00x54.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x219c040x64.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a90000x200.l2
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x29a0000xb988.pdata
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a70000x1d90.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x1f22900x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1f22b00x100.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x1900000x4d0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x18e8ce0x18ea00False0.427218686304data6.26311061578IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x1900000x8abb20x8ac00False0.361321086712data4.93951302348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x21b0000x7e91c0x5ec00False0.609702238621data7.19856312148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .pdata0x29a0000xb9880xba00False0.499327956989data6.16657152165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x2a60000x1e00x200False0.529296875data4.720822662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x2a70000x1d900x1e00False0.315494791667data5.43309822087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .l20x2a90000x2000x200False0.533203125data4.724728912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_MANIFEST0x2a90600x17dXML 1.0 document textEnglishUnited States

            Imports

            DLLImport
            KERNEL32.dllGetModuleHandleW, LoadLibraryW, lstrcmpiW, CreateFileW, GetFileSize, ReadFile, K32EnumProcessModules, WideCharToMultiByte, TerminateProcess, CreateProcessW, SetHandleInformation, CreatePipe, MultiByteToWideChar, GetOEMCP, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetVersionExW, OpenEventW, CreateDirectoryW, ExpandEnvironmentStringsW, GetTickCount, GetNativeSystemInfo, SetFilePointer, WriteFile, GetLocalTime, HeapSize, Sleep, DeleteFileW, K32GetModuleBaseNameA, K32EnumProcessModulesEx, LoadLibraryA, GetProcAddress, IsWow64Process, VirtualFreeEx, WriteProcessMemory, ReadProcessMemory, VirtualProtectEx, VirtualAllocEx, OpenProcess, CreateRemoteThread, CreateThread, GetCurrentProcessId, GetCurrentProcess, WaitForSingleObject, GetLastError, CreateEventW, CloseHandle, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetACP, RtlUnwind, IsValidCodePage, HeapReAlloc, ReadConsoleW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapAlloc, FormatMessageW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetEndOfFile, SetFilePointerEx, GetStringTypeW, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, EncodePointer, DecodePointer, GetCPInfo, CompareStringW, LCMapStringW, GetLocaleInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentThreadId, InitializeSListHead, LocalFree, RtlPcToFileHeader, RaiseException, RtlUnwindEx, InterlockedFlushSList, FreeLibrary, LoadLibraryExW, GetStdHandle, GetFileType, GetModuleFileNameW, GetModuleHandleExW, WriteConsoleW, ExitProcess, SetEnvironmentVariableW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, OutputDebugStringW, HeapFree
            ADVAPI32.dllCryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptDecrypt, CryptImportKey, CryptSetKeyParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, RegSetValueExW, RegQueryValueExW, RegCreateKeyExW, RegCloseKey, LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken
            OLEAUT32.dllVariantClear, VariantInit, SafeArrayPutElement, SafeArrayUnlock, SafeArrayLock, SafeArrayCreateVector, SafeArrayCreate, SysFreeString, SysAllocString, SafeArrayDestroy
            VERSION.dllGetFileVersionInfoW, VerQueryValueA, GetFileVersionInfoSizeW

            Exports

            NameOrdinalAddress
            UMEP10x1800c0e00
            VFEP20x1800c1bf0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Feb 25, 2021 22:22:55.210108042 CET6206053192.168.2.58.8.8.8
            Feb 25, 2021 22:22:55.261167049 CET53620608.8.8.8192.168.2.5
            Feb 25, 2021 22:22:55.265743971 CET6180553192.168.2.58.8.8.8
            Feb 25, 2021 22:22:55.314353943 CET53618058.8.8.8192.168.2.5
            Feb 25, 2021 22:22:56.140187979 CET5479553192.168.2.58.8.8.8
            Feb 25, 2021 22:22:56.189156055 CET53547958.8.8.8192.168.2.5
            Feb 25, 2021 22:22:56.350183964 CET4955753192.168.2.58.8.8.8
            Feb 25, 2021 22:22:56.408576012 CET53495578.8.8.8192.168.2.5
            Feb 25, 2021 22:22:57.084523916 CET6173353192.168.2.58.8.8.8
            Feb 25, 2021 22:22:57.141534090 CET53617338.8.8.8192.168.2.5
            Feb 25, 2021 22:22:58.086153030 CET6544753192.168.2.58.8.8.8
            Feb 25, 2021 22:22:58.134682894 CET53654478.8.8.8192.168.2.5
            Feb 25, 2021 22:22:59.083832979 CET5244153192.168.2.58.8.8.8
            Feb 25, 2021 22:22:59.144339085 CET53524418.8.8.8192.168.2.5
            Feb 25, 2021 22:23:00.452464104 CET6217653192.168.2.58.8.8.8
            Feb 25, 2021 22:23:00.503159046 CET53621768.8.8.8192.168.2.5
            Feb 25, 2021 22:23:01.742861986 CET5959653192.168.2.58.8.8.8
            Feb 25, 2021 22:23:01.792284966 CET53595968.8.8.8192.168.2.5
            Feb 25, 2021 22:23:02.795351982 CET6529653192.168.2.58.8.8.8
            Feb 25, 2021 22:23:02.844238997 CET53652968.8.8.8192.168.2.5
            Feb 25, 2021 22:23:04.358900070 CET6318353192.168.2.58.8.8.8
            Feb 25, 2021 22:23:04.407629967 CET53631838.8.8.8192.168.2.5
            Feb 25, 2021 22:23:05.448745966 CET6015153192.168.2.58.8.8.8
            Feb 25, 2021 22:23:05.497241020 CET53601518.8.8.8192.168.2.5
            Feb 25, 2021 22:23:10.520380020 CET5696953192.168.2.58.8.8.8
            Feb 25, 2021 22:23:10.569516897 CET53569698.8.8.8192.168.2.5
            Feb 25, 2021 22:23:10.849600077 CET5516153192.168.2.58.8.8.8
            Feb 25, 2021 22:23:10.906723976 CET53551618.8.8.8192.168.2.5
            Feb 25, 2021 22:23:19.510643959 CET5475753192.168.2.58.8.8.8
            Feb 25, 2021 22:23:19.559226990 CET53547578.8.8.8192.168.2.5
            Feb 25, 2021 22:23:25.148940086 CET4999253192.168.2.58.8.8.8
            Feb 25, 2021 22:23:25.200968981 CET53499928.8.8.8192.168.2.5
            Feb 25, 2021 22:23:27.883023977 CET6007553192.168.2.58.8.8.8
            Feb 25, 2021 22:23:27.936645985 CET53600758.8.8.8192.168.2.5
            Feb 25, 2021 22:23:45.453583002 CET5501653192.168.2.58.8.8.8
            Feb 25, 2021 22:23:45.510669947 CET53550168.8.8.8192.168.2.5
            Feb 25, 2021 22:23:51.380211115 CET6434553192.168.2.58.8.8.8
            Feb 25, 2021 22:23:51.434642076 CET53643458.8.8.8192.168.2.5
            Feb 25, 2021 22:23:53.498362064 CET5712853192.168.2.58.8.8.8
            Feb 25, 2021 22:23:53.548362017 CET53571288.8.8.8192.168.2.5
            Feb 25, 2021 22:24:01.271289110 CET5479153192.168.2.58.8.8.8
            Feb 25, 2021 22:24:01.329211950 CET53547918.8.8.8192.168.2.5
            Feb 25, 2021 22:24:32.453205109 CET5046353192.168.2.58.8.8.8
            Feb 25, 2021 22:24:32.504376888 CET53504638.8.8.8192.168.2.5
            Feb 25, 2021 22:24:32.905786991 CET5039453192.168.2.58.8.8.8
            Feb 25, 2021 22:24:32.978821039 CET53503948.8.8.8192.168.2.5

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll64.exe PID: 6552 Parent PID: 5736

            General

            Start time:22:23:01
            Start date:25/02/2021
            Path:C:\Windows\System32\loaddll64.exe
            Wow64 process (32bit):false
            Commandline:loaddll64.exe 'C:\Users\user\Desktop\XopHMqjs5a.dll'
            Imagebase:0x7ff6d28a0000
            File size:147456 bytes
            MD5 hash:40E30D559A47CDA935973FA18C34ABA6
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: rundll32.exe PID: 6572 Parent PID: 6552

            General

            Start time:22:23:01
            Start date:25/02/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,UMEP
            Imagebase:0x7ff7e11e0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000002.00000002.263563049.00007FFA7D4BB000.00000008.00020000.sdmp, Author: Florian Roth
            Reputation:high

            Analysis Process: iexplore.exe PID: 6756 Parent PID: 6572

            General

            Start time:22:23:03
            Start date:25/02/2021
            Path:C:\Program Files\internet explorer\iexplore.exe
            Wow64 process (32bit):false
            Commandline:c:\program files\internet explorer\iexplore.exe
            Imagebase:0x7ff6239e0000
            File size:823560 bytes
            MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 6856 Parent PID: 6552

            General

            Start time:22:23:04
            Start date:25/02/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\XopHMqjs5a.dll,VFEP
            Imagebase:0x7ff7e11e0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: WerFault.exe PID: 7004 Parent PID: 6572

            General

            Start time:22:23:13
            Start date:25/02/2021
            Path:C:\Windows\System32\WerFault.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WerFault.exe -u -p 6572 -s 552
            Imagebase:0x7ff7a7fe0000
            File size:494488 bytes
            MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Disassembly

            Code Analysis

            Reset < >