Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
ReversingLabs: Detection: 50% |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Virustotal: Detection: 55% |
Perma Link |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
Source: |
Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
String found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$ |
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
String found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmll) |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100511B0 |
0_2_100511B0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100A75C6 |
0_2_100A75C6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100511B0 |
3_2_100511B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100A75C6 |
3_2_100A75C6 |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Binary or memory string: OriginalFilenamebszip.dll" vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Binary or memory string: OriginalFilenamesc.exej% vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
Source: classification engine |
Classification label: mal52.winDLL@12/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03 |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
ReversingLabs: Detection: 50% |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Virustotal: Detection: 55% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\InprocServer32 |
Jump to behavior |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Static file information: File size 2334720 > 1048576 |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x150000 |
Source: |
Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, |
0_2_10050430 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1009FAD0 push eax; ret |
0_2_1009FAFE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10013787 push ecx; retf 0001h |
0_2_10013788 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100A1798 push eax; ret |
0_2_100A17B6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1009FAD0 push eax; ret |
3_2_1009FAFE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10013787 push ecx; retf 0001h |
3_2_10013788 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100A1798 push eax; ret |
3_2_100A17B6 |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100060FC rdtsc |
0_2_100060FC |
Source: C:\Windows\System32\loaddll32.exe |
API coverage: 9.5 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 6.7 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\System32\loaddll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\System32\loaddll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\rundll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\rundll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\rundll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100060FC rdtsc |
0_2_100060FC |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, |
0_2_10050430 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000BC31 mov ebx, dword ptr fs:[00000030h] |
0_2_1000BC31 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000DC38 mov ecx, dword ptr fs:[00000030h] |
0_2_1000DC38 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000E4D8 mov ebx, dword ptr fs:[00000030h] |
0_2_1000E4D8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000B391 mov ecx, dword ptr fs:[00000030h] |
0_2_1000B391 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000BC31 mov ebx, dword ptr fs:[00000030h] |
3_2_1000BC31 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000DC38 mov ecx, dword ptr fs:[00000030h] |
3_2_1000DC38 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000E4D8 mov ebx, dword ptr fs:[00000030h] |
3_2_1000E4D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000B391 mov ecx, dword ptr fs:[00000030h] |
3_2_1000B391 |
Source: C:\Windows\System32\loaddll32.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 |
Jump to behavior |
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll |
Binary or memory string: Program ManagerProgman |
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: Progman |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1002F8C8 cpuid |
0_2_1002F8C8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1009E49D GetVersion,GetCommandLineA, |
0_2_1009E49D |
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: kxetray.exe |
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: 360Tray.exe |