Windows Analysis Report
UiFttnkl2R.dll

Overview

General Information

Sample name: UiFttnkl2R.dll
renamed because original name is a hash value
Original sample name: d0c554c836f955997316acf30b5039b52e5c9a8b127a5f33107314a481663b5e.dll
Analysis ID: 1500942
MD5: 8620a8a3f75b8b63766bd0f489f33d6a
SHA1: ffe90dfdfbb5d7d33392887b2a3995cbfba2aae8
SHA256: d0c554c836f955997316acf30b5039b52e5c9a8b127a5f33107314a481663b5e
Tags: dllrammenale-com
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/zetaq.txtZ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtV Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq/ts/ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtL Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtK Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtsC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtG Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtP$ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtE Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtD Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtw Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt6634-1002 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtr Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtn Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtent-1002 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtc Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtI% Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtxt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtPf Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4U Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt50 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtentndowsINetCookies; Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt~ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtentu Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt8 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4Y Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt6 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtes Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaqtxt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt. Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4m Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtent Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt& Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaqonts/c Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt# Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4er Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4q Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq/a Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: UiFttnkl2R.dll ReversingLabs: Detection: 42%
Source: UiFttnkl2R.dll Virustotal: Detection: 51% Perma Link
Uses 32bit PE files
Source: UiFttnkl2R.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: UiFttnkl2R.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 0_2_6CDF15A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 3_2_6CDF15A4

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 131.153.206.231 443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SS-ASHUS SS-ASHUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: rammenale.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:04 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:04 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000006.00000003.1723075107.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1723013012.00000000050C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.wikipedia
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1717234700.00000000050AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000884D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/8EEF8FF4BF719EAB539B52
Source: rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/Data
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/YSTEM32
Source: rundll32.exe, 00000008.00000002.2937478623.00000000027B7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/fo10280/zet2
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt
Source: rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt#
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt&
Source: rundll32.exe, 00000006.00000002.2940217585.0000000008834000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt.
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt4
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt4U
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt4Y
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt4er
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt4m
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt4q
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt50
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt6
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt6634-1002
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002A6A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt8
Source: rundll32.exe, 00000003.00000002.1721988527.0000000003230000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722847273.0000000003170000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937582224.0000000002940000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937723951.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937794002.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937581731.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937583525.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtC:
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtD
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtE
Source: rundll32.exe, 00000006.00000002.2937794002.0000000003058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtG
Source: rundll32.exe, 00000006.00000002.2937794002.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtI%
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtK
Source: rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtL
Source: rundll32.exe, 00000006.00000002.2937651056.0000000002E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtP$
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtPf
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtV
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtZ
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtc
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937794002.000000000301F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtent
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtent-1002
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtentndowsINetCookies;
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtentu
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtes
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtg
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtk
Source: rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtl
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtn
Source: rundll32.exe, 00000006.00000002.2937794002.0000000003058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtr
Source: loaddll32.exe, 00000000.00000002.1751507131.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtsC:
Source: rundll32.exe, 00000006.00000002.2937794002.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtt
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtv
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtw
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtxt
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937723951.0000000002A6A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008876000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txtz
Source: rundll32.exe, 00000006.00000002.2940217585.000000000884D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq.txt~
Source: rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq/a
Source: rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaq/ts/
Source: rundll32.exe, 00000006.00000002.2939550917.00000000050C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaqonts/c
Source: rundll32.exe, 00000005.00000002.2937473872.0000000002577000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937480440.0000000002C77000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/zetaqtxt
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/u
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49735 version: TLS 1.2
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF95FA 0_2_6CDF95FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE03D30 0_2_6CE03D30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE041DB 0_2_6CE041DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF9959 0_2_6CDF9959
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE09919 0_2_6CE09919
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF92B8 0_2_6CDF92B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF95FA 3_2_6CDF95FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CE03D30 3_2_6CE03D30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CE041DB 3_2_6CE041DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF9959 3_2_6CDF9959
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CE09919 3_2_6CE09919
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF92B8 3_2_6CDF92B8
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6CDF37A0 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CDF37A0 appears 45 times
Uses 32bit PE files
Source: UiFttnkl2R.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: is a trademark of The Monotype Corporation which may be registered in certain jurisdictions.Inc. All rights reserved.slnt4
Source: classification engine Classification label: mal80.evad.winDLL@14/0@1/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF1C39 CoInitialize,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize, 0_2_6CDF1C39
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: UiFttnkl2R.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain
Source: UiFttnkl2R.dll ReversingLabs: Detection: 42%
Source: UiFttnkl2R.dll Virustotal: Detection: 51%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UiFttnkl2R.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: UiFttnkl2R.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UiFttnkl2R.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UiFttnkl2R.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UiFttnkl2R.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UiFttnkl2R.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UiFttnkl2R.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE0A031 push ecx; ret 0_2_6CE0A044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CE0A031 push ecx; ret 3_2_6CE0A044
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.9 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7396 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7412 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 0_2_6CDF15A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 3_2_6CDF15A4
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWU
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2940012348.0000000008B50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008863000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.000000000898D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: rundll32.exe, 00000008.00000002.2939436401.000000000898D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP8
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF3621 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDF3621
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE02BA7 GetProcessHeap, 0_2_6CE02BA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF3621 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDF3621
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF312C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CDF312C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDFBADE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDFBADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF3621 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CDF3621
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDF312C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6CDF312C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CDFBADE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CDFBADE

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 131.153.206.231 443
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF381B cpuid 0_2_6CDF381B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDF3270 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6CDF3270
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500942 Sample: UiFttnkl2R.dll Startdate: 29/08/2024 Architecture: WINDOWS Score: 80 27 rammenale.com 2->27 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Sigma detected: rundll32 run dll from internet 2->35 37 Sigma detected: Execute DLL with spoofed extension 2->37 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 conhost.exe 9->18         started        signatures6 39 System process connects to network (likely due to code injection or exploit) 11->39 20 rundll32.exe 12 14->20         started        23 rundll32.exe 16->23         started        process7 dnsIp8 29 rammenale.com 131.153.206.231, 443, 49732, 49733 SS-ASHUS United States 20->29 25 rundll32.exe 23->25         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
131.153.206.231
 rammenale.com United States
19437 SS-ASHUS true

Contacted Domains

Name IP Active
rammenale.com 131.153.206.231 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://rammenale.com/for2/zetaq.txt true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown