Windows Analysis Report
Dll1.dll

Overview

General Information

Sample name: Dll1.dll
Analysis ID: 1500782
MD5: b14ef85a60ac71c669cc960bdf580144
SHA1: 08906644b0ef1ee6478c45a6e0dd28533a9efc29
SHA256: 861911e953e6fd0a015b3a91a7528a388a535c83f4b9a5cf7366b8209d2f00c3
Tags: dll
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/aclog.txtQ8 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpaC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp% Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtJ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtPR Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp$q Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpent Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogI Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txthe Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpryh Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4J Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtO Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtPg Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txte Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtf Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4r Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp.( Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp60 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtd Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt- Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpent0 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentg Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmprmh Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtent Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtag Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt( Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpo Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpq Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpk Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpz Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog& Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmps Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmpf Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp6634-1003 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4p Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmph Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentindowsINetCookies Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpE0 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpj Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4r Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpd Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt49? Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxtH Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpY Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt&8 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4er Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpPR Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentindowsINetCookies Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtft Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtjx Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpU Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpV Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxtB Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4e Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtm Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtV~ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtr Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txts Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpG Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp5A Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpE Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtp Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp/ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtWk Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmp Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpR0 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp2 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtz Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtP; Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4T Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4P Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4 Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Dll1.dll ReversingLabs: Detection: 31%
Uses 32bit PE files
Source: Dll1.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: Dll1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 0_2_6F9E1629
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9F1C74 FindFirstFileExW, 0_2_6F9F1C74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 3_2_6F9E1629
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9F1C74 FindFirstFileExW, 3_2_6F9F1C74

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 131.153.206.231 443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SS-ASHUS SS-ASHUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: rammenale.com
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:57 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:57 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:58 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:58 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:59 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:46:00 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/1p
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/D
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/J
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/K
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/M
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/R#
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/Si
Source: rundll32.exe, 0000000B.00000002.3274421722.0000000004D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog
Source: rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog&
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt&8
Source: rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt(
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt-
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt49?
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4J
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4er
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4j
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4p
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4r
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt:
Source: rundll32.exe, 00000005.00000002.3272308201.0000000002670000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3273346372.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3272227188.0000000002610000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273406270.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272218090.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002C30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtC:
Source: rundll32.exe, 00000005.00000002.3272308201.000000000267A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtF
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtJ
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtO
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtP;
Source: rundll32.exe, 00000006.00000002.3273575831.0000000002A60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtPR
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtPg
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtQ8
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtV~
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtWk
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtag
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtd
Source: rundll32.exe, 00000005.00000002.3272308201.000000000267A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txte
Source: rundll32.exe, 00000006.00000002.3272227188.0000000002610000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtent
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtentg
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtentindowsINetCookies
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtf
Source: rundll32.exe, 00000006.00000002.3272227188.000000000261A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtft
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txthe
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtjx
Source: rundll32.exe, 00000006.00000002.3272227188.000000000261A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtm
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtp
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtr
Source: rundll32.exe, 00000005.00000002.3272220241.00000000023D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272306421.0000000002C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txts
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtz
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogI
Source: rundll32.exe, 0000000B.00000002.3272070507.0000000002767000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogtxt
Source: rundll32.exe, 00000005.00000002.3272074755.0000000000247000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogtxtB
Source: rundll32.exe, 00000006.00000002.3272073394.00000000002F7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogtxtH
Source: rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3274898545.00000000056DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp$q
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp%
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp.(
Source: rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp/
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp0
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp2
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4P
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4T
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4e
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4r
Source: rundll32.exe, 0000000C.00000002.3275204855.00000000091F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp5A
Source: rundll32.exe, 0000000C.00000002.3272566960.00000000035DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp60
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275204855.00000000091F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003
Source: rundll32.exe, 00000003.00000002.2056608367.00000000002E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2056574094.0000000003360000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272128849.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272263359.0000000002C10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3273461533.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3272127824.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272566960.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272431562.0000000003480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpC:
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpE
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpE0
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpG
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpH
Source: rundll32.exe, 00000009.00000002.3273671925.0000000002E80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpPR
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpR0
Source: rundll32.exe, 0000000C.00000002.3275204855.0000000009207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpU
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpV
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpY
Source: loaddll32.exe, 00000000.00000002.2084984797.0000000000A80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpaC:
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpd
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369942393.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpent
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002E60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpent0
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpentindowsINetCookies
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmph
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpj
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpk
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpmp
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpmpf
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpo
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpq
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmprmh
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpryh
Source: rundll32.exe, 0000000A.00000002.3273620140.0000000003150000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272288324.0000000003430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmps
Source: rundll32.exe, 0000000C.00000003.2369942393.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpt
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B5C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpz
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49711 version: TLS 1.2
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E970D 0_2_6F9E970D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9F44AB 0_2_6F9F44AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E93CB 0_2_6F9E93CB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9F9BE9 0_2_6F9F9BE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E9A6C 0_2_6F9E9A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9F4000 0_2_6F9F4000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E970D 3_2_6F9E970D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9F44AB 3_2_6F9F44AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E93CB 3_2_6F9E93CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9F9BE9 3_2_6F9F9BE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E9A6C 3_2_6F9E9A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9F4000 3_2_6F9F4000
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6F9E38C0 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6F9E38C0 appears 45 times
Uses 32bit PE files
Source: Dll1.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal80.evad.winDLL@20/0@2/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E1CFA CloseHandle,CoInitialize,CoCreateInstance,CoUninitialize,ExpandEnvironmentStringsW,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize, 0_2_6F9E1CFA
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: Dll1.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain
Source: Dll1.dll ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Dll1.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Dll1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Dll1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Dll1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Dll1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Dll1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Dll1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Dll1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9FA301 push ecx; ret 0_2_6F9FA314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9FA301 push ecx; ret 3_2_6F9FA314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0475F2EC push 840843CEh; iretd 5_2_0475F2F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_04E0ECB6 push 825076FAh; retn 0002h 9_2_04E0EDEA
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.7 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 6.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7460 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7476 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 0_2_6F9E1629
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9F1C74 FindFirstFileExW, 0_2_6F9F1C74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 3_2_6F9E1629
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9F1C74 FindFirstFileExW, 3_2_6F9F1C74
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWwR9
Source: rundll32.exe, 00000005.00000002.3274732553.000000000843D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008DD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275450644.000000000920D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%\system32\dnsapi.dll,-103Pv\g
Source: rundll32.exe, 00000006.00000002.3274805413.000000000846E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXdJ
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E3741 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6F9E3741
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9F2E75 GetProcessHeap, 0_2_6F9F2E75
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E3741 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6F9E3741
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E324C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6F9E324C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9EC07A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6F9EC07A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E3741 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6F9E3741
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9E324C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6F9E324C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6F9EC07A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6F9EC07A

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 131.153.206.231 443
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E393B cpuid 0_2_6F9E393B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6F9E3390 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6F9E3390
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500782 Sample: Dll1.dll Startdate: 28/08/2024 Architecture: WINDOWS Score: 80 31 rammenale.com 2->31 33 198.187.3.20.in-addr.arpa 2->33 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: rundll32 run dll from internet 2->41 43 Sigma detected: Execute DLL with spoofed extension 2->43 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 2 other processes 9->18 signatures6 45 System process connects to network (likely due to code injection or exploit) 11->45 20 rundll32.exe 12 14->20         started        23 rundll32.exe 14->23         started        25 rundll32.exe 16->25         started        process7 dnsIp8 35 rammenale.com 131.153.206.231, 443, 49704, 49705 SS-ASHUS United States 20->35 27 rundll32.exe 12 25->27         started        29 rundll32.exe 25->29         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
131.153.206.231
 rammenale.com United States
19437 SS-ASHUS true

Contacted Domains

Name IP Active
rammenale.com 131.153.206.231 true
198.187.3.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://rammenale.com/for2/regit.tmp true
  • Avira URL Cloud: malware
 unknown
https://rammenale.com/for2/aclog.txt true
  • Avira URL Cloud: malware
 unknown