Source: RPHSNqfBjbKzV.dll |
Avira: detected |
Source: RPHSNqfBjbKzV.dll |
Virustotal: Detection: 41% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: RPHSNqfBjbKzV.dll |
Joe Sandbox ML: detected |
Source: RPHSNqfBjbKzV.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04B433B0 |
3_2_04B433B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_056333B0 |
4_2_056333B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04EC33B0 |
6_2_04EC33B0 |
Source: RPHSNqfBjbKzV.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: classification engine |
Classification label: mal68.spyw.winDLL@10/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03 |
Source: RPHSNqfBjbKzV.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\SysWOW64\rundll32.exe |
File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RPHSNqfBjbKzV.dll,#1 |
Source: RPHSNqfBjbKzV.dll |
Virustotal: Detection: 41% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RPHSNqfBjbKzV.dll,#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RPHSNqfBjbKzV.dll,#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: RPHSNqfBjbKzV.dll |
Static file information: File size 6829568 > 1048576 |
Source: RPHSNqfBjbKzV.dll |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x5ec600 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04B43395 push ecx; ret |
3_2_04B433A8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04B564F0 push eax; ret |
3_2_04B5650E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_056464F0 push eax; ret |
4_2_0564650E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_05633395 push ecx; ret |
4_2_056333A8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04ED64F0 push eax; ret |
6_2_04ED650E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04EC3395 push ecx; ret |
6_2_04EC33A8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 3.4 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 3.4 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 2.0 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\rundll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\rundll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04B4422B _memset,IsDebuggerPresent, |
3_2_04B4422B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04B4F0EF EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
3_2_04B4F0EF |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_04B411A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_04B411A4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_056311A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_056311A4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04EC11A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_04EC11A4 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RPHSNqfBjbKzV.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
3_2_04B433B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
3_2_04B42C29 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
3_2_04B4E1C6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
4_2_0563E1C6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
4_2_05632C29 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
4_2_056333B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
6_2_04ECE1C6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
6_2_04EC33B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
6_2_04EC2C29 |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log |
Jump to behavior |