Windows Analysis Report
KdejHWo7Xp.dll

Overview

General Information

Sample name: KdejHWo7Xp.dll
Analysis ID: 1543869
MD5: d314b21925e3d51347a059776eff941b
SHA1: 427ff082c0a2b0a4ebeeeb351254a4ebd0021945
SHA256: 1eb103245a213a1089c27dd6f4bba7673ee1b461b2e56943e7a83fa02f5ab7dd
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: KdejHWo7Xp.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: KdejHWo7Xp.dll ReversingLabs: Detection: 58%
Source: rundll32.exe Binary or memory string: -----BEGIN RSA PUBLIC KEY-----
Uses 32bit PE files
Source: KdejHWo7Xp.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: KdejHWo7Xp.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2k-x32\out32dll\ssleay32.pdb source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2k-x32\out32dll\libeay32.pdb source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CDEFB8 FindFirstFileW,FindClose, 4_2_04CDEFB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CDE9EC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 4_2_04CDE9EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0433EFB8 FindFirstFileW,FindClose, 13_2_0433EFB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0433E9EC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 13_2_0433E9EC

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 86.38.217.167 80 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LRTC-ASLT LRTC-ASLT
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.11.20:49720 -> 86.38.217.167:80
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: rundll32.exe, 0000000D.00000002.2168347978.0000000006269000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://creativecommons.org/licenses/LGPL/2.1/;
Source: rundll32.exe, 0000000D.00000002.2168347978.0000000006269000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://creativecommons.org/licenses/by/2.5/
Source: rundll32.exe, 0000000D.00000002.2168347978.0000000006269000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://creativecommons.org/licenses/by/3.0/
Source: rundll32.exe, 0000000D.00000002.2168347978.0000000006269000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://everaldo.com/crystal/
Source: rundll32.exe, 0000000D.00000002.2168347978.0000000006269000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.famfamfam.com/lab/icons/silk/
Source: rundll32.exe, rundll32.exe, 0000000D.00000002.2454593375.000000000857C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/V
Source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: rundll32.exe String found in binary or memory: https://synopse.info/files/sqlite3obj.7z
Source: rundll32.exe, 00000003.00000002.932942252.0000000004C71000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2160060268.0000000004CD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.951260313.00000000046D1000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://synopse.info/files/sqlite3obj.7zSV
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 9108 -s 1080
PE file contains executable resources (Code or Archives)
Source: KdejHWo7Xp.dll Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: KdejHWo7Xp.dll Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Uses 32bit PE files
Source: KdejHWo7Xp.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engine Classification label: mal64.evad.winDLL@24/20@0/1
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\Desktop\libeay32.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9044:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2944
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9044:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess9108
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6104
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1896
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4599c5a6-9518-40c5-832b-f3a0df599c04 Jump to behavior
Source: Yara match File source: KdejHWo7Xp.dll, type: SAMPLE
Source: Yara match File source: 0000000E.00000002.1017511487.00000000043F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2160060268.0000000004CD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1021564543.0000000004211000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.951260313.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.932942252.0000000004C71000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2160427059.0000000004331000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\loaddll32.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",#1
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: rundll32.exe, 00000003.00000002.935428498.0000000005621000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2166356650.0000000005681000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.953737617.0000000005081000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2166196017.0000000004CE1000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: KdejHWo7Xp.dll ReversingLabs: Detection: 58%
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: site-Addressing
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: site-Addressing
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: site-Addressing
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: site-Addressing
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KdejHWo7Xp.dll,B080723_N
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 9108 -s 1080
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KdejHWo7Xp.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1064
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KdejHWo7Xp.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",B080723_N
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 1080
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1072
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KdejHWo7Xp.dll,B080723_N Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KdejHWo7Xp.dll,TMethodImplementationIntercept Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KdejHWo7Xp.dll,__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",B080723_N Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",TMethodImplementationIntercept Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",dbkFCallWrapperAddr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: magnification.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: KdejHWo7Xp.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: KdejHWo7Xp.dll Static file information: File size 68329984 > 1048576
Source: KdejHWo7Xp.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x98c400
Source: KdejHWo7Xp.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x368de00
Source: KdejHWo7Xp.dll Static PE information: More than 200 imports for user32.dll
Source: KdejHWo7Xp.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2k-x32\out32dll\ssleay32.pdb source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2k-x32\out32dll\libeay32.pdb source: loaddll32.exe, 00000000.00000001.994418402.0000000001B04000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.936002489.0000000005664000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2168406757.00000000056C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.954317938.00000000050C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2168347978.0000000004D24000.00000002.00000001.01000000.00000003.sdmp
PE file contains sections with non-standard names
Source: KdejHWo7Xp.dll Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CF6C70 push ecx; mov dword ptr [esp], ecx 4_2_04CF6C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D105D0 push ecx; mov dword ptr [esp], eax 4_2_04D105D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D119B0 push ecx; mov dword ptr [esp], eax 4_2_04D119B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04D8C10C push ecx; mov dword ptr [esp], edx 4_2_04D8C10D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04356C70 push ecx; mov dword ptr [esp], ecx 13_2_04356C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043EC10C push ecx; mov dword ptr [esp], edx 13_2_043EC10D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043719B0 push ecx; mov dword ptr [esp], eax 13_2_043719B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_043705D0 push ecx; mov dword ptr [esp], eax 13_2_043705D1
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\Desktop\ssleay32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\Desktop\libeay32.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04E4379C GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 3_2_04E4379C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EA379C GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 4_2_04EA379C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EA3718 IsIconic, 4_2_04EA3718
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_048A379C GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 9_2_048A379C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_04503718 IsIconic, 13_2_04503718
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0450379C GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 13_2_0450379C
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ssleay32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\Desktop\libeay32.dll Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CDEFB8 FindFirstFileW,FindClose, 4_2_04CDEFB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CDE9EC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 4_2_04CDE9EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0433EFB8 FindFirstFileW,FindClose, 13_2_0433EFB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0433E9EC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 13_2_0433E9EC
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000004.00000002.2154689700.0000000003431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2153503095.00000000029BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 86.38.217.167 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KdejHWo7Xp.dll",#1 Jump to behavior
Source: rundll32.exe, 00000003.00000002.932942252.0000000004C71000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2160060268.0000000004CD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.951260313.00000000046D1000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndSV
Source: rundll32.exe, 00000003.00000002.932942252.0000000004C71000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2160060268.0000000004CD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.951260313.00000000046D1000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndSVW
Source: rundll32.exe, 00000004.00000002.2460714274.0000000009B45000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: program manager!L
Source: rundll32.exe, 00000004.00000002.2460714274.0000000009B45000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: program manager1Z
Source: rundll32.exe Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.932942252.0000000004C71000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2160060268.0000000004CD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.951260313.00000000046D1000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
Source: rundll32.exe, 0000000D.00000002.2461695280.0000000009195000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: program manager
Source: rundll32.exe, 00000003.00000002.932942252.0000000004C71000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2160060268.0000000004CD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.951260313.00000000046D1000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndU
Source: rundll32.exe, 0000000D.00000002.2461695280.0000000009195000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: program managerAS
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 4_2_04CDF0F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_04CDE590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 13_2_0433F0F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 13_2_0433E590
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\loaddll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\rundll32.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000004.00000002.2154689700.000000000348E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2153503095.00000000029EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543869 Sample: KdejHWo7Xp.dll Startdate: 28/10/2024 Architecture: WINDOWS Score: 64 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 8 loaddll32.exe 4 2->8         started        process3 process4 10 rundll32.exe 3 8->10         started        13 rundll32.exe 5 8->13         started        17 cmd.exe 1 8->17         started        19 6 other processes 8->19 dnsIp5 41 System process connects to network (likely due to code injection or exploit) 10->41 35 86.38.217.167, 80 LRTC-ASLT Lithuania 13->35 31 C:\Users\user\Desktop\ssleay32.dll, PE32 13->31 dropped 33 C:\Users\user\Desktop\libeay32.dll, PE32 13->33 dropped 21 rundll32.exe 3 17->21         started        23 WerFault.exe 16 19->23         started        25 WerFault.exe 19->25         started        27 WerFault.exe 19->27         started        file6 signatures7 process8 process9 29 WerFault.exe 22 16 21->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
86.38.217.167
 unknown Lithuania
15419 LRTC-ASLT true