Create Interactive Tour

Windows Analysis Report
ss64.dll

Overview

General Information

Sample Name:	ss64.dll
Analysis ID:	618424
MD5:	cfbf1cb96b31132ddbd8074180487b70
SHA1:	d8cc1b0fcd85365708396cbd8c91a479c5739a2a
SHA256:	80748d742c31afee1d1db90ee3c1f3212d48a683482ff0e7f37b721b03001a1b
Tags:	coroxyexesabsiktrojan
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Machine Learning detection for sample

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 2796 cmdline: loaddll64.exe "C:\Users\user\Desktop\ss64.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 5212 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 3156 cmdline: rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4188 cmdline: rundll32.exe C:\Users\user\Desktop\ss64.dll,rundll MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 7056 cmdline: rundll32.exe "C:\Users\user\Desktop\ss64.dll",rundll MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ss64.dll	EXT_MAL_SystemBC_Mar22_1	Detects unpacked SystemBC module as used by Emotet in March 2022	Thomas Barabosch, Deutsche Telekom Security	0x4375:$sx1: -WindowStyle Hidden -ep bypass -file 0x4200:$sx2: BEGINDATA 0x43b7:$sx3: GET %s HTTP/1.0 0x43d2:$s5: User-Agent: 0x4330:$s8: ALLUSERSPROFILE
ss64.dll	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x436a:$pwsh: powershell 0x43b7:$s1: GET %s HTTP/1 0x43d2:$s2: User-Agent: 0x4375:$s3: -WindowStyle Hidden -ep bypass -file " 0x4200:$v1: BEGINDATA 0x420a:$v2: HOST1: 0x4241:$v2: HOST2: 0x4278:$v3: PORT1: 0x4284:$v4: TOR:

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ss64.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: ss64.dll	Virustotal: Detection: 50%			Perma Link
Source: ss64.dll	ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: ss64.dll

Joe Sandbox ML: detected

Source: ss64.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Domain query: localhost.exchange
Source: C:\Windows\System32\rundll32.exe	Network Connect: 8.8.8.8 53	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 93.115.25.139 443	Jump to behavior

Source: Joe Sandbox View

ASN Name: CHERRYSERVERS1-ASLT CHERRYSERVERS1-ASLT

Source: unknown

DNS traffic detected: query: localhost.exchange replaycode: Name error (3)

Source: unknown	Network traffic detected: HTTP traffic on port 64857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64616 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49463 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63520 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60495 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61363 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59494 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60471 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59482 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50656 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62459 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54609 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63507 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61543 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60483 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60291 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51573 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51500 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63519 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52516
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52517
Source: unknown	Network traffic detected: HTTP traffic on port 51115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53846
Source: unknown	Network traffic detected: HTTP traffic on port 56803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52515
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52518
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52519
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53840
Source: unknown	Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53844
Source: unknown	Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53843
Source: unknown	Network traffic detected: HTTP traffic on port 53537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53842
Source: unknown	Network traffic detected: HTTP traffic on port 62255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62496 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52528
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52525
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52529
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52520
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52523
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52524
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52521
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52522
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64505
Source: unknown	Network traffic detected: HTTP traffic on port 56815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64509
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64501
Source: unknown	Network traffic detected: HTTP traffic on port 52200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64500
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64503
Source: unknown	Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52537
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51209
Source: unknown	Network traffic detected: HTTP traffic on port 58348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52530
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52531
Source: unknown	Network traffic detected: HTTP traffic on port 63965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51203
Source: unknown	Network traffic detected: HTTP traffic on port 65508 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52535
Source: unknown	Network traffic detected: HTTP traffic on port 54851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52532
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51202
Source: unknown	Network traffic detected: HTTP traffic on port 57252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62472 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62484 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51218
Source: unknown	Network traffic detected: HTTP traffic on port 53922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52549
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52541
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53872
Source: unknown	Network traffic detected: HTTP traffic on port 58336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52540
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52545
Source: unknown	Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53876
Source: unknown	Network traffic detected: HTTP traffic on port 62640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52543
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51213
Source: unknown	Network traffic detected: HTTP traffic on port 52212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52544
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64528
Source: unknown	Network traffic detected: HTTP traffic on port 57288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64520
Source: unknown	Network traffic detected: HTTP traffic on port 51945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61555 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64523
Source: unknown	Network traffic detected: HTTP traffic on port 51127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64525
Source: unknown	Network traffic detected: HTTP traffic on port 64882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63556 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown	Network traffic detected: HTTP traffic on port 52477 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53812
Source: unknown	Network traffic detected: HTTP traffic on port 61976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53817
Source: unknown	Network traffic detected: HTTP traffic on port 62881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53811
Source: unknown	Network traffic detected: HTTP traffic on port 51139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53501 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53823
Source: unknown	Network traffic detected: HTTP traffic on port 51790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53827
Source: unknown	Network traffic detected: HTTP traffic on port 61302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53820
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52465 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52503
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52504
Source: unknown	Network traffic detected: HTTP traffic on port 62627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52501
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52502
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53830
Source: unknown	Network traffic detected: HTTP traffic on port 63941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49475 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64460
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52475
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52476
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51143
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52474
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51149
Source: unknown	Network traffic detected: HTTP traffic on port 64485 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52477
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51147
Source: unknown	Network traffic detected: HTTP traffic on port 54201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56623 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64453
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64457
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64456
Source: unknown	Network traffic detected: HTTP traffic on port 51164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64459
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64458
Source: unknown	Network traffic detected: HTTP traffic on port 54178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63140
Source: unknown	Network traffic detected: HTTP traffic on port 64256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51155
Source: unknown	Network traffic detected: HTTP traffic on port 60855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51153
Source: unknown	Network traffic detected: HTTP traffic on port 57685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51158
Source: unknown	Network traffic detected: HTTP traffic on port 54442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51163
Source: unknown	Network traffic detected: HTTP traffic on port 57456 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51160
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63132
Source: unknown	Network traffic detected: HTTP traffic on port 55034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64468
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64467
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64482
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64481
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64484
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64483
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52497
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52495
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52496
Source: unknown	Network traffic detected: HTTP traffic on port 60638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51168
Source: unknown	Network traffic detected: HTTP traffic on port 51152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51170
Source: unknown	Network traffic detected: HTTP traffic on port 54191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51173
Source: unknown	Network traffic detected: HTTP traffic on port 59854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64475
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64474
Source: unknown	Network traffic detected: HTTP traffic on port 57673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64476
Source: unknown	Network traffic detected: HTTP traffic on port 59625 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64491
Source: unknown	Network traffic detected: HTTP traffic on port 64497 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64490
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64493
Source: unknown	Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64492
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64495
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64494
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51175
Source: unknown	Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51179
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64486
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64485
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64488
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64487
Source: unknown	Network traffic detected: HTTP traffic on port 53562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64489
Source: unknown	Network traffic detected: HTTP traffic on port 54454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52439
Source: unknown	Network traffic detected: HTTP traffic on port 56576 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52437
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52438
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53768
Source: unknown	Network traffic detected: HTTP traffic on port 55984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52431
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52432
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52430
Source: unknown	Network traffic detected: HTTP traffic on port 57420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52435
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52436
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52433
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52434
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64416
Source: unknown	Network traffic detected: HTTP traffic on port 56839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64419
Source: unknown	Network traffic detected: HTTP traffic on port 55058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown	Network traffic detected: HTTP traffic on port 56659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52442
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52440
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52441
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52446
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52447
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52445
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown	Network traffic detected: HTTP traffic on port 53550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64428
Source: unknown	Network traffic detected: HTTP traffic on port 56564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64427
Source: unknown	Network traffic detected: HTTP traffic on port 51704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64429
Source: unknown	Network traffic detected: HTTP traffic on port 54142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64420
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64422
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64421
Source: unknown	Network traffic detected: HTTP traffic on port 63916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51128
Source: unknown	Network traffic detected: HTTP traffic on port 51188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52459
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown	Network traffic detected: HTTP traffic on port 60879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51121
Source: unknown	Network traffic detected: HTTP traffic on port 57493 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52458
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53786
Source: unknown	Network traffic detected: HTTP traffic on port 56840 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.25.139

Source: unknown

DNS traffic detected: queries for: localhost.exchange

System Summary

Malicious sample detected (through community Yara rule)

Source: ss64.dll, type: SAMPLE

Matched rule: Detects SystemBC Author: ditekSHen

Source: ss64.dll, type: SAMPLE	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
Source: ss64.dll, type: SAMPLE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC

Source: ss64.dll	Virustotal: Detection: 50%
Source: ss64.dll	ReversingLabs: Detection: 52%

Source: ss64.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ss64.dll,rundll

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ss64.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ss64.dll,rundll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ss64.dll",rundll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ss64.dll,rundll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ss64.dll",rundll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1	Jump to behavior

Source: classification engine

Classification label: mal76.evad.winDLL@9/0@20965/2

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ss64.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: ss64.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 4532

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Domain query: localhost.exchange
Source: C:\Windows\System32\rundll32.exe	Network Connect: 8.8.8.8 53	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 93.115.25.139 443	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	1 Rundll32	OS Credential Dumping	11 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ss64.dll	50%	Virustotal		Browse
ss64.dll	52%	ReversingLabs	Win64.Trojan.Sybici
ss64.dll	100%	Avira	HEUR/AGEN.1205060
ss64.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
localhost.exchange	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
localhost.exchange	unknown	unknown	true	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.115.25.139	unknown	Lithuania		16125	CHERRYSERVERS1-ASLT	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	618424
Start date and time: 30/04/202213:04:07	2022-04-30 13:04:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ss64.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.winDLL@9/0@20965/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.242.101.226, 52.152.110.14, 52.251.79.25
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:05:08	API Interceptor	3x Sleep call for process: rundll32.exe modified
13:05:12	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
93.115.25.139	ss.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CHERRYSERVERS1-ASLT	http://46.166.161.68/affd	Get hash	malicious	Browse	46.166.161.68
	http://46.166.161.68:80/asdfgh	Get hash	malicious	Browse	46.166.161.68
	ss (2).exe	Get hash	malicious	Browse	46.166.169.34
	ss.dll	Get hash	malicious	Browse	93.115.25.139
	YL4gYb6euI.exe	Get hash	malicious	Browse	93.115.29.50
	mouP2wVCaF.exe	Get hash	malicious	Browse	93.115.29.50
	8Ihre21XMR.exe	Get hash	malicious	Browse	93.115.29.50
	s61ssR9Ye1.dll	Get hash	malicious	Browse	93.115.29.50
	2Xnyr4yIym.dll	Get hash	malicious	Browse	46.166.161.93
	#U041f#U0440#U0438#U043a#U0430#U0437 #U211621 #U043e#U0442 29-03-2022.docx	Get hash	malicious	Browse	93.115.25.134
	http://185.150.117.189/admin.css?string=true	Get hash	malicious	Browse	185.150.117.189
	7322849c07c96d29df99a8c9c81b43e4527a926f968b8.exe	Get hash	malicious	Browse	185.150.119.227
	fNOCSNukvE.exe	Get hash	malicious	Browse	188.214.144.171
	02d6b6d6a27c2c88abbd109a5e1d987183252f7ed6165.exe	Get hash	malicious	Browse	185.150.119.227
	ca27c07cc9fddcd8bc07b2b9aa3406ab019fb54797bf2.exe	Get hash	malicious	Browse	185.150.119.227
	aslr.dll	Get hash	malicious	Browse	46.166.161.93
	RXJPatkj9M.dll	Get hash	malicious	Browse	185.150.117.116
	data.dll	Get hash	malicious	Browse	5.199.162.140
	J3QbgqlDwW.dll	Get hash	malicious	Browse	5.199.162.140
	CNA7cdSDsi.dll	Get hash	malicious	Browse	5.199.162.140

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.511032037216886
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	ss64.dll
File size:	18432
MD5:	cfbf1cb96b31132ddbd8074180487b70
SHA1:	d8cc1b0fcd85365708396cbd8c91a479c5739a2a
SHA256:	80748d742c31afee1d1db90ee3c1f3212d48a683482ff0e7f37b721b03001a1b
SHA512:	b0349ed3333b2db5e7273e86d382c521ce3f2354c67b610a7844c28f067ba7e9fbb88853ad6567f4485d1f670e0127ee15f1149cf71e00238a291f96c614bbd0
SSDEEP:	384:L3qHtu750gtxCYLcHtcWajpOnM/uQ9p/mvm12MGSs4:L3Qgk/arfevmk
TLSH:	3582613E9641059EEB6582F9D5CF8B14C535313B0732E36BA3B05B102E169B7EB60BC6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p...#...#...#.+.#...#...#...#...#...#...#...#...#...#Rich...#................PE..d...K.R`.........." .....2.................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180001000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6052FE4B [Thu Mar 18 07:16:27 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	bb5490a497d4a5ce59005ca1d1aacc2a

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ecx
dec eax
mov dword ptr [esp+10h], edx
dec esp
mov dword ptr [esp+18h], eax
push ebp
dec eax
mov ebp, esp
dec eax
mov eax, 00000001h
dec eax
add esp, 00000000h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 10h
dec eax
sub esp, 20h
dec eax
mov ecx, 00000000h
call 00007F8C84C7F064h
dec eax
add esp, 20h
dec eax
add esp, 10h
pop ebp
ret
dec eax
mov dword ptr [esp+08h], ecx
dec eax
mov dword ptr [esp+10h], edx
dec esp
mov dword ptr [esp+18h], eax
dec esp
mov dword ptr [esp+20h], ecx
push ebp
dec eax
mov ebp, esp
push ebx
push edi
push esi
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 00000D78h
dec eax
lea edx, dword ptr [ebp-38h]
dec eax
sub edx, esp
dec eax
sub esp, 20h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F8C84C8144Ah
dec eax
add esp, 20h
dec eax
sub esp, 20h
dec eax
mov ecx, dword ptr [ebp+10h]
dec eax
lea edx, dword ptr [ebp-000005A8h]
call 00007F8C84C8174Ch
dec eax
add esp, 20h
dec eax
sub esp, 20h
dec eax
mov ecx, dword ptr [ebp+20h]
dec eax
lea edx, dword ptr [ebp-000007A8h]
call 00007F8C84C81734h
dec eax
add esp, 20h
dec eax
sub esp, 20h
dec eax
mov ecx, 00000000h
call dword ptr [00004012h]
dec eax

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[LNK] VS2010 build 30319
[EXP] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5a30	0x45	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5510	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7000	0x1b0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0x198	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30eb	0x3200	False	0.4103125	zlib compressed data	5.62793570542	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0xa75	0xc00	False	0.340494791667	data	4.57510443674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x253	0x400	False	0.37109375	data	3.33553352496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x7000	0x1b0	0x200	False	0.455078125	data	3.41518848831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
user32.dll	wsprintfA
ws2_32.dll	getaddrinfo, closesocket, shutdown, send, setsockopt, freeaddrinfo, recv, WSAIoctl, select, connect, inet_ntoa, inet_addr, htons, ioctlsocket, WSAStartup, socket
advapi32.dll	GetTokenInformation, OpenProcessToken, GetSidSubAuthority
kernel32.dll	WriteFile, SetFilePointer, CreateFileA, VirtualFree, LocalFree, LocalAlloc, SystemTimeToFileTime, SetEvent, WaitForSingleObject, ExitThread, CloseHandle, CreateThread, GetTempPathA, GetVolumeInformationA, Sleep, CreateEventA, GetCurrentProcess, FileTimeToSystemTime, GetLocalTime, VirtualAlloc
secur32.dll	GetUserNameExA, GetUserNameExW
ole32.dll	CoCreateInstance, CoUninitialize, CoInitialize

Exports

Name	Ordinal	Address
rundll	1	0x180001020

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 2796, Parent PID: 5632

Function Logs

General

Target ID:	0
Start time:	13:05:07
Start date:	30/04/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\ss64.dll"
Imagebase:	0x7ff65abf0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Show Windows behavior

Thread Activities

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5212, Parent PID: 2796

Function Logs

General

Target ID:	1
Start time:	13:05:08
Start date:	30/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1
Imagebase:	0x7ff7d01f0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4188, Parent PID: 2796

Function Logs

General

Target ID:	2
Start time:	13:05:08
Start date:	30/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\ss64.dll,rundll
Imagebase:	0x7ff6e4f70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3156, Parent PID: 5212

Function Logs

General

Target ID:	3
Start time:	13:05:08
Start date:	30/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\ss64.dll",#1
Imagebase:	0x7ff6e4f70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7056, Parent PID: 2796

Function Logs

General

Target ID:	4
Start time:	13:05:11
Start date:	30/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\ss64.dll",rundll
Imagebase:	0x7ff6e4f70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ss64.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 2796, Parent PID: 5632

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Windows Analysis Report
ss64.dll