Windows Analysis Report
HLMJbase.dll

Overview

General Information

Sample name: HLMJbase.dll
Analysis ID: 1579416
MD5: 250eb1ef1645f13252ef13c14ba66d51
SHA1: 4aa14d113af1d74fbd1adbc16c10126b69878d0b
SHA256: dacdac1e333a1f45700e3707e617ff49c457226604f1ffa160fc3faf9b6810b3
Tags: dlluser-smica83
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBDE8E0 EncryptMessage, 3_2_6CBDE8E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBB0332 DecryptMessage, 3_2_6CBB0332
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBD9840 DecryptMessage,memset, 3_2_6CBD9840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBD961E EncryptMessage, 3_2_6CBD961E
Uses 32bit PE files
Source: HLMJbase.dll Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: HLMJbase.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: HLMJbase.pdb source: rundll32.exe, 00000003.00000002.2008755909.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4184561254.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4183830787.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, HLMJbase.dll
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: [: Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C8060 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW, 4_2_054C8060

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49739 -> 45.204.213.99:7677
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49746 -> 45.204.213.99:7677
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49933 -> 45.204.213.99:7688
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50030 -> 45.204.213.99:7677
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 38.147.186.138 443 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.204.213.99 7688 Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 45.204.213.99:7677
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /19/7.txt HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/7.txt HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/77.bin HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/77.bin HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/7.txt HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/77.bin HTTP/1.1accept: */*host: dcttx.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CODECCLOUD-AS-APCodecCloudHKLimitedHK CODECCLOUD-AS-APCodecCloudHKLimitedHK
Source: Joe Sandbox View ASN Name: ITACE-AS-APItaceInternationalLimitedHK ITACE-AS-APItaceInternationalLimitedHK
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: unknown TCP traffic detected without corresponding DNS query: 45.204.213.99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBF84E7 recv,WSAGetLastError, 3_2_6CBF84E7
Source: global traffic HTTP traffic detected: GET /19/7.txt HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/7.txt HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/77.bin HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/77.bin HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/7.txt HTTP/1.1accept: */*host: dcttx.com
Source: global traffic HTTP traffic detected: GET /19/77.bin HTTP/1.1accept: */*host: dcttx.com
Source: global traffic DNS traffic detected: DNS query: dcttx.com
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000003.00000003.1739047373.0000000002888000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2008105051.000000000284A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1738872358.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1763776267.0000000002787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/7.txt
Source: rundll32.exe, 00000004.00000003.1738872358.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/7.txt.
Source: rundll32.exe, 00000003.00000002.2008105051.000000000284A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/7.txtD
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2008755909.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4184561254.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4183830787.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, HLMJbase.dll String found in binary or memory: https://dcttx.com/19/7.txtFailed
Source: rundll32.exe, 00000005.00000003.1763776267.0000000002787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/7.txtp
Source: rundll32.exe, 00000003.00000003.1770310682.0000000002887000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1739047373.0000000002888000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1738900816.00000000028C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1738731092.0000000002D12000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1768941964.0000000002CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1738872358.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4176037293.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1833709462.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1763620953.00000000027C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1844676174.000000000276D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2355356834.000000000277B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2891476609.000000000277B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1763776267.0000000002787000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1795184851.000000000276D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3064884794.000000000277B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4176187047.000000000276C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2739932660.000000000277B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1795350329.0000000002785000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/77.bin
Source: rundll32.exe, 00000003.00000002.2008196874.0000000002888000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1770250771.000000000286B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1770310682.0000000002887000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/77.bin.
Source: rundll32.exe, 00000003.00000002.2008196874.0000000002888000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1770250771.000000000286B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1770310682.0000000002887000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dcttx.com/19/77.binH
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 38.147.186.138:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture and log keystrokes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 4_2_054CE7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 4_2_054CE7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 4_2_054CE7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 4_2_054CE7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 5_2_04E8E7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 5_2_04E8E7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 5_2_04E8E7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: [esc] 5_2_04E8E7B0
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CE7B0 CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex, 4_2_054CE7B0
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CE7B0 CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex, 4_2_054CE7B0
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CBBF0 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC, 4_2_054CBBF0
Creates a DirectInput object (often for capturing keystrokes)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CE450 CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState, 4_2_054CE450
Installs a global mouse hook
Source: C:\Windows\SysWOW64\rundll32.exe Windows user hook set: 0 mouse low level C:\Windows\System32\DINPUT8.dll Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB94854 NtCreateFile,RtlNtStatusToDosError,CreateIoCompletionPort,SetFileCompletionNotificationModes,GetLastError,CloseHandle, 3_2_6CB94854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB94268 NtDeviceIoControlFile,RtlNtStatusToDosError, 3_2_6CB94268
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE83D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle, 3_2_6CBE83D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB93EDC NtCancelIoFileEx,RtlNtStatusToDosError, 3_2_6CB93EDC
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB94268: NtDeviceIoControlFile,RtlNtStatusToDosError, 3_2_6CB94268
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CB3D0 ExitWindowsEx, 4_2_054CB3D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CB3F4 ExitWindowsEx, 4_2_054CB3F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CB3AC ExitWindowsEx, 4_2_054CB3AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E8B3F4 ExitWindowsEx, 5_2_04E8B3F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E8B3D0 ExitWindowsEx, 5_2_04E8B3D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E8B3AC ExitWindowsEx, 5_2_04E8B3AC
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBD6D3C 3_2_6CBD6D3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBB481F 3_2_6CBB481F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBBAA6C 3_2_6CBBAA6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBA8469 3_2_6CBA8469
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBD9CA8 3_2_6CBD9CA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBB1C98 3_2_6CBB1C98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB614AB 3_2_6CB614AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBC90A8 3_2_6CBC90A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC02C95 3_2_6CC02C95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBF4CCF 3_2_6CBF4CCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBA2D0F 3_2_6CBA2D0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB8EE05 3_2_6CB8EE05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB7CF24 3_2_6CB7CF24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBF4898 3_2_6CBF4898
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBB28F9 3_2_6CBB28F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC02893 3_2_6CC02893
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB9A814 3_2_6CB9A814
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB6E875 3_2_6CB6E875
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB6CAD0 3_2_6CB6CAD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBB8A77 3_2_6CBB8A77
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB90B40 3_2_6CB90B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB68430 3_2_6CB68430
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB9653C 3_2_6CB9653C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBFA508 3_2_6CBFA508
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB9255C 3_2_6CB9255C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBDC6DA 3_2_6CBDC6DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB666D9 3_2_6CB666D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB7A64D 3_2_6CB7A64D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE8780 3_2_6CBE8780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBC4719 3_2_6CBC4719
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB7C1AC 3_2_6CB7C1AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE41F0 3_2_6CBE41F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBA6291 3_2_6CBA6291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB8E3C7 3_2_6CB8E3C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBF2350 3_2_6CBF2350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBDDC97 3_2_6CBDDC97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC03CF4 3_2_6CC03CF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBDDCEB 3_2_6CBDDCEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBDDC7A 3_2_6CBDDC7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB6BDB1 3_2_6CB6BDB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB61DF7 3_2_6CB61DF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB79D26 3_2_6CB79D26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBDBD1C 3_2_6CBDBD1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBEBD70 3_2_6CBEBD70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB8DD45 3_2_6CB8DD45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB85E16 3_2_6CB85E16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBEDFFE 3_2_6CBEDFFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBC3F75 3_2_6CBC3F75
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE9F40 3_2_6CBE9F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC018D7 3_2_6CC018D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBBBA52 3_2_6CBBBA52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBF9BE5 3_2_6CBF9BE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBD5B14 3_2_6CBD5B14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB854EF 3_2_6CB854EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE347E 3_2_6CBE347E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBAB537 3_2_6CBAB537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB6F61C 3_2_6CB6F61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBA5674 3_2_6CBA5674
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB7D0F7 3_2_6CB7D0F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE1060 3_2_6CBE1060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC0524A 3_2_6CC0524A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBCD246 3_2_6CBCD246
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE9370 3_2_6CBE9370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048E0CAE 4_2_048E0CAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048D24B0 4_2_048D24B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048E11FF 4_2_048E11FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048E2D61 4_2_048E2D61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048DB6A6 4_2_048DB6A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048E1E2C 4_2_048E1E2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048E1750 4_2_048E1750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C6E60 4_2_054C6E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C6BE0 4_2_054C6BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054DDDF0 4_2_054DDDF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C24A0 4_2_054C24A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054DF9FF 4_2_054DF9FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C8870 4_2_054C8870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054DD89F 4_2_054DD89F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054DE341 4_2_054DE341
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054D8381 4_2_054D8381
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054DEA1D 4_2_054DEA1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CF659F 4_2_04CF659F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D07D40 4_2_04D07D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D0DD00 4_2_04D0DD00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CF1E5F 4_2_04CF1E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D0D7AF 4_2_04D0D7AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CF681F 4_2_04CF681F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D0D25E 4_2_04D0D25E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CF822F 4_2_04CF822F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D0F3BE 4_2_04D0F3BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_043324B0 5_2_043324B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04340CAE 5_2_04340CAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04342D61 5_2_04342D61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_043411FF 5_2_043411FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04341E2C 5_2_04341E2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0433B6A6 5_2_0433B6A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04341750 5_2_04341750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E86E60 5_2_04E86E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E86BE0 5_2_04E86BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E824A0 5_2_04E824A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E9DDF0 5_2_04E9DDF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04EA978D 5_2_04EA978D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E9D89F 5_2_04E9D89F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E88870 5_2_04E88870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E9F9FF 5_2_04E9F9FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E9EA1D 5_2_04E9EA1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E98381 5_2_04E98381
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E9E341 5_2_04E9E341
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046D7D40 5_2_046D7D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046DDD00 5_2_046DDD00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046C659F 5_2_046C659F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046C1E5F 5_2_046C1E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046DD7AF 5_2_046DD7AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046C681F 5_2_046C681F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046DD25E 5_2_046DD25E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046C822F 5_2_046C822F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046DF3BE 5_2_046DF3BE
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CB68880 appears 80 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04E942E0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CC025D0 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 054D42E0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CC022D0 appears 146 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 724
Uses 32bit PE files
Source: HLMJbase.dll Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
Source: HLMJbase.dll Binary string: HandleAfdPollInfo\Device\Afd\Mio
Source: HLMJbase.dll Binary string: Failed to open \Device\Afd\Mio:
Source: classification engine Classification label: mal72.spyw.evad.winDLL@11/5@1/2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE9F40 memset,GetModuleHandleW,FormatMessageW,memmove,GetLastError, 3_2_6CBE9F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C75A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess, 4_2_054C75A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C76C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 4_2_054C76C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C7AF0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle, 4_2_054C7AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E875A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess, 5_2_04E875A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E876C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 5_2_04E876C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E87AF0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle, 5_2_04E87AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C6BE0 wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf, 4_2_054C6BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C5FE0 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle, 4_2_054C5FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C6620 wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,SysFreeString,CoUninitialize, 4_2_054C6620
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\2024.12.19
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7544
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\116622cf-9c8a-4503-a27a-35d36a772c23 Jump to behavior
Source: HLMJbase.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HLMJbase.dll,NvOptimusEnablement
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HLMJbase.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HLMJbase.dll,NvOptimusEnablement
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",NvOptimusEnablement
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 724
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HLMJbase.dll,NvOptimusEnablement Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",NvOptimusEnablement Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: HLMJbase.dll Static file information: File size 1071104 > 1048576
Source: HLMJbase.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: HLMJbase.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: HLMJbase.pdb source: rundll32.exe, 00000003.00000002.2008755909.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4184561254.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4183830787.000000006CC06000.00000002.00000001.01000000.00000003.sdmp, HLMJbase.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBEC9B0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,memmove,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess, 3_2_6CBEC9B0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048E7AFE push eax; retn 0000h 4_2_048E7B05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048D9EF5 push ecx; ret 4_2_048D9F08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054E2443 push ebp; retf 4_2_054E2474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054E2450 push ebp; retf 4_2_054E2474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054E2470 push ebp; retf 4_2_054E2474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054EA168 push eax; ret 4_2_054EA119
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054EA0B8 push eax; ret 4_2_054EA119
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054D4325 push ecx; ret 4_2_054D4338
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D03CE4 push ecx; ret 4_2_04D03CF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04339EF5 push ecx; ret 5_2_04339F08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04347AFF push eax; retn 0000h 5_2_04347B05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04EA2470 push ebp; retf 5_2_04EA2474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04EA245F push ebp; retf 5_2_04EA2474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04EAA0B8 push eax; ret 5_2_04EAA119
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04EAA168 push eax; ret 5_2_04EAA119
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E94325 push ecx; ret 5_2_04E94338
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046D3CE4 push ecx; ret 5_2_046D3CF7
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CB351 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog, 4_2_054CB351
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 3324 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 5607 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 5644 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 3281 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\rundll32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 9.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7880 Thread sleep count: 284 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7972 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7972 Thread sleep time: -54000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7996 Thread sleep count: 3324 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7996 Thread sleep time: -33240s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7972 Thread sleep count: 5607 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7972 Thread sleep time: -5607000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7940 Thread sleep count: 245 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8024 Thread sleep count: 5644 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8024 Thread sleep time: -5644000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8032 Thread sleep count: 3281 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8032 Thread sleep time: -32810s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Windows\SysWOW64\rundll32.exe Thread sleep count: Count: 3324 delay: -10 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread sleep count: Count: 3281 delay: -10 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C8060 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW, 4_2_054C8060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C53C0 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW, 4_2_054C53C0
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000003.00000003.1770250771.000000000286B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2008105051.000000000286D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1770502384.000000000286D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1738954589.000000000286D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1770216842.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1738806367.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4176037293.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1833709462.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1844676174.000000000276D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1795518550.000000000276D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1795184851.000000000276D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC016E3 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CC016E3
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054D04AB VirtualProtect ?,-00000001,00000104,? 4_2_054D04AB
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBEC9B0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,memmove,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess, 3_2_6CBEC9B0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CF00CD mov eax, dword ptr fs:[00000030h] 4_2_04CF00CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_046C00CD mov eax, dword ptr fs:[00000030h] 5_2_046C00CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC05070 GetProcessHeap,HeapAlloc, 3_2_6CC05070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC01C22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6CC01C22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC016E3 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CC016E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048D6530 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep, 4_2_048D6530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048D69D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_048D69D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048D8678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_048D8678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048DAFAE SetUnhandledExceptionFilter, 4_2_048DAFAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CDE70 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle, 4_2_054CDE70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054CEF64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_054CEF64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054D1EC7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_054D1EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04336530 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep, 5_2_04336530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_043369D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_043369D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04338678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_04338678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0433AFAE SetUnhandledExceptionFilter, 5_2_0433AFAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E8DE70 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle, 5_2_04E8DE70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E91EC7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_04E91EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E8EF64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_04E8EF64
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 38.147.186.138 443 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.204.213.99 7688 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_048D5830 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread, 4_2_048D5830
Contains functionality to inject threads in other processes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C7760 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, 4_2_054C7760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04E87760 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, 5_2_04E87760
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe 4_2_054C7760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe 4_2_054C7760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe 5_2_04E87760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe 5_2_04E87760
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HLMJbase.dll",#1 Jump to behavior
Source: rundll32.exe, 00000004.00000003.3595673865.0000000006356000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3607417606.0000000005C06000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0 min571345Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: rundll32.exe, 00000004.00000002.4182957404.0000000005634000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inProgram Manager
Source: rundll32.exe, 00000004.00000003.3784105886.0000000006352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3595132241.0000000006352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3607310533.0000000005C02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .168.2.4 0 min571345Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: rundll32.exe, 00000004.00000003.1892014772.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1925447650.0000000005BA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .168.2.4 0 min571345Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW, 4_2_054C53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW, 5_2_04E853C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC0130C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_6CC0130C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054D5D95 __lock,wsprintfW,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 4_2_054D5D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054C6A00 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW, 4_2_054C6A00
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: rundll32.exe Binary or memory string: acs.exe
Source: rundll32.exe Binary or memory string: avcenter.exe
Source: rundll32.exe Binary or memory string: kxetray.exe
Source: rundll32.exe Binary or memory string: vsserv.exe
Source: rundll32.exe Binary or memory string: cfp.exe
Source: rundll32.exe Binary or memory string: avp.exe
Source: rundll32.exe Binary or memory string: KSafeTray.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe Binary or memory string: 360Safe.exe
Source: rundll32.exe Binary or memory string: 360tray.exe
Source: rundll32.exe Binary or memory string: rtvscan.exe
Source: rundll32.exe Binary or memory string: TMBMSRV.exe
Source: rundll32.exe Binary or memory string: ashDisp.exe
Source: rundll32.exe Binary or memory string: 360Tray.exe
Source: rundll32.exe Binary or memory string: avgwdsvc.exe
Source: rundll32.exe Binary or memory string: AYAgent.aye
Source: rundll32.exe Binary or memory string: RavMonD.exe
Source: rundll32.exe Binary or memory string: QUHLPSVC.EXE
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe
Source: rundll32.exe Binary or memory string: Mcshield.exe
Source: rundll32.exe Binary or memory string: K7TSecurity.exe
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBE768C bind,GetLastError, 3_2_6CBE768C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579416 Sample: HLMJbase.dll Startdate: 22/12/2024 Architecture: WINDOWS Score: 72 24 dcttx.com 2->24 30 Suricata IDS alerts for network traffic 2->30 32 AI detected suspicious sample 2->32 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 8->10         started        13 rundll32.exe 1 8->13         started        15 cmd.exe 1 8->15         started        17 conhost.exe 8->17         started        signatures6 34 Contains functionality to inject threads in other processes 10->34 36 Contains functionality to capture and log keystrokes 10->36 38 Contains functionality to inject code into remote processes 10->38 19 WerFault.exe 22 16 10->19         started        40 System process connects to network (likely due to code injection or exploit) 13->40 21 rundll32.exe 3 15->21         started        process7 dnsIp8 26 45.204.213.99, 49739, 49742, 49744 ITACE-AS-APItaceInternationalLimitedHK Seychelles 21->26 28 dcttx.com 38.147.186.138, 443, 49732, 49733 CODECCLOUD-AS-APCodecCloudHKLimitedHK United States 21->28
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
38.147.186.138
 dcttx.com United States
138576 CODECCLOUD-AS-APCodecCloudHKLimitedHK true
45.204.213.99
 unknown Seychelles
134705 ITACE-AS-APItaceInternationalLimitedHK true

Contacted Domains

Name IP Active
dcttx.com 38.147.186.138 true