Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll |
Virustotal: Detection: 57% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll |
Metadefender: Detection: 24% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll |
ReversingLabs: Detection: 50% |
Source: ERRoqGpsIS.dll |
Virustotal: Detection: 57% |
Perma Link |
Source: ERRoqGpsIS.dll |
Metadefender: Detection: 24% |
Perma Link |
Source: ERRoqGpsIS.dll |
ReversingLabs: Detection: 50% |
Source: ERRoqGpsIS.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: unknown |
HTTPS traffic detected: 104.21.45.75:443 -> 192.168.2.3:49728 version: TLS 1.2 |
Source: |
Binary string: c:\FindHeard\EndLook\ChartBegan\WinSentence\Rain.pdb source: loaddll32.exe, 00000000.00000002.302107930.000000006E4F5000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_008215D0 FindFirstFileW,FindNextFileW, |
14_2_008215D0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then mov byte ptr [ebp+edi-50h], al |
0_2_6E4D0230 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then mov al, byte ptr [edx+ebx] |
0_2_6E4CEAB0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then mov edi, 00000002h |
0_2_6E4B2730 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000114h] |
0_2_6E4C9BF0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then xor ebx, ebx |
0_2_6E4BEB90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then inc edi |
0_2_6E4C1F90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then mov byte ptr [ebp+ebx-00000084h], al |
0_2_6E4CF870 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then mov esi, dword ptr [6E4D66F0h+edi*4] |
0_2_6E4C88F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then movsx ebx, byte ptr [esi] |
0_2_6E4C1D60 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then push dword ptr [ebp-14h] |
0_2_6E4B7170 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 4x nop then add esi, 02h |
0_2_6E4CE970 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then mov esi, dword ptr [008266F0h+edi*4] |
14_2_008188F0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then mov byte ptr [ebp+ebx-00000084h], al |
14_2_0081F870 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then movsx ebx, byte ptr [esi] |
14_2_00811D60 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then push dword ptr [ebp-14h] |
14_2_00807170 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then add esi, 02h |
14_2_0081E970 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then mov al, byte ptr [edx+ebx] |
14_2_0081EAB0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then mov byte ptr [ebp+edi-50h], al |
14_2_00820230 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then xor ebx, ebx |
14_2_0080EB90 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then inc edi |
14_2_00811F90 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000114h] |
14_2_00819BF0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 4x nop then mov edi, 00000002h |
14_2_00802730 |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: unknown |
DNS traffic detected: queries for: earfetti.com |
Source: loaddll32.exe, 00000000.00000002.302144785.000000006E51C000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll |
String found in binary or memory: http://www.enoughthose.de8 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49728 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49728 |
Source: unknown |
HTTPS traffic detected: 104.21.45.75:443 -> 192.168.2.3:49728 version: TLS 1.2 |
Source: C:\Windows\System32\loaddll32.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4B2B90 |
0_2_6E4B2B90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4B3E10 |
0_2_6E4B3E10 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4BB3D0 |
0_2_6E4BB3D0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4CA000 |
0_2_6E4CA000 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4B68C0 |
0_2_6E4B68C0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4C88F0 |
0_2_6E4C88F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4B2DD0 |
0_2_6E4B2DD0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4BC9A0 |
0_2_6E4BC9A0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4EBECF |
0_2_6E4EBECF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4F275F |
0_2_6E4F275F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4F2CA3 |
0_2_6E4F2CA3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4F221B |
0_2_6E4F221B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4F4236 |
0_2_6E4F4236 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_008068C0 |
14_2_008068C0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_008188F0 |
14_2_008188F0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_0081A000 |
14_2_0081A000 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_0080C9A0 |
14_2_0080C9A0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_00802DD0 |
14_2_00802DD0 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_00803E10 |
14_2_00803E10 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_00802B90 |
14_2_00802B90 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_0080B3D0 |
14_2_0080B3D0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: String function: 6E4E97D8 appears 34 times |
|
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: ERRoqGpsIS.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: ERRoqGpsIS.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: inaxa.dll.14.dr |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal60.evad.winDLL@3/1@1/1 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_0080E070 AdjustTokenPrivileges, |
14_2_0080E070 |
Source: C:\Windows\SysWOW64\msiexec.exe |
File created: C:\Users\user\AppData\Roaming\Ilgyr |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\{AE3C19F7-A2D0-F8C5-70B9-D0EFD3468FD7} |
Source: C:\Windows\SysWOW64\msiexec.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\{8E4429F7-92D0-D8BD-70B9-D0EFD3468FD7} |
Source: C:\Windows\SysWOW64\msiexec.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\{3EAD2B6B-904C-6854-70B9-D0EFD3468FD7} |
Source: ERRoqGpsIS.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: ERRoqGpsIS.dll |
Virustotal: Detection: 57% |
Source: ERRoqGpsIS.dll |
Metadefender: Detection: 24% |
Source: ERRoqGpsIS.dll |
ReversingLabs: Detection: 50% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ERRoqGpsIS.dll' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe |
Jump to behavior |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: ERRoqGpsIS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\FindHeard\EndLook\ChartBegan\WinSentence\Rain.pdb source: loaddll32.exe, 00000000.00000002.302107930.000000006E4F5000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll |
Source: ERRoqGpsIS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: ERRoqGpsIS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: ERRoqGpsIS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: ERRoqGpsIS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: ERRoqGpsIS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4CF870 LoadLibraryA,GetProcAddress, |
0_2_6E4CF870 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4C0380 push eax; ret |
0_2_6E4C038A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4DF6C6 push FFFFFFFFh; ret |
0_2_6E4DF6D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4DDC4B push esp; ret |
0_2_6E4DDC7B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4D9C73 push es; iretd |
0_2_6E4D9D28 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4D9CB3 push es; iretd |
0_2_6E4D9D28 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4E981D push ecx; ret |
0_2_6E4E9830 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4D98AA push esp; ret |
0_2_6E4D98B9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E509381 push eax; ret |
0_2_6E5093B1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E509400 push eax; ret |
0_2_6E5093B1 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_00823CEA push D85411E4h; iretd |
14_2_00823CF6 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_00810380 push eax; ret |
14_2_0081038A |
Source: C:\Windows\SysWOW64\msiexec.exe |
File created: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll |
Jump to dropped file |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4EDA28 sldt word ptr [eax] |
0_2_6E4EDA28 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll |
Jump to dropped file |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_008215D0 FindFirstFileW,FindNextFileW, |
14_2_008215D0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4E8B05 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E4E8B05 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4CF870 LoadLibraryA,GetProcAddress, |
0_2_6E4CF870 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4C3E90 mov eax, dword ptr fs:[00000030h] |
0_2_6E4C3E90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E50A2F7 mov eax, dword ptr fs:[00000030h] |
0_2_6E50A2F7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E509E34 push dword ptr fs:[00000030h] |
0_2_6E509E34 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E50A22D mov eax, dword ptr fs:[00000030h] |
0_2_6E50A22D |
Source: C:\Windows\SysWOW64\msiexec.exe |
Code function: 14_2_00813E90 mov eax, dword ptr fs:[00000030h] |
14_2_00813E90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4EFE11 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
0_2_6E4EFE11 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4EAE48 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E4EAE48 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4E8B05 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E4E8B05 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4E9009 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E4E9009 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4CDD00 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess, |
0_2_6E4CDD00 |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe |
Jump to behavior |
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoA, |
0_2_6E4F1A50 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E4EF1C8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_6E4EF1C8 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |