[[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Source: 2.2.rundll32.exe.1060000.1.raw.unpack | Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_026712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, | 0_2_026712D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_034412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, | 3_2_034412D4 |
Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js0.13.dr | String found in binary or memory: http://feross.org |
Source: rundll32.exe, 00000003.00000003.443272606.000000000352B000.00000004.00000001.sdmp | String found in binary or memory: http://under17.com |
Source: {4554B9A3-96F7-11EB-90E6-ECF4BB82F7E0}.dat.25.dr | String found in binary or memory: http://under17.com/joomla/7oXts9AORFsG5/i189ZNd4/wxa5zyBcqStFNvDeNtF1KxB/E9musqCc5L/b_2FSJrdUWwLXBbJ |
Source: {4D761D34-96F7-11EB-90E6-ECF4BB82F7E0}.dat.25.dr | String found in binary or memory: http://under17.com/joomla/YJmZr0WJXI7/eZbfNM7hm_2BBw/atfJcuVF_2B5yHpeRoV9f/p4iYAB3akKupopXr/3YLvELEn |
Source: loaddll32.exe, 00000000.00000002.492271076.0000000000BFB000.00000004.00000020.sdmp | String found in binary or memory: http://urs-world.com |
Source: loaddll32.exe, 00000000.00000002.492271076.0000000000BFB000.00000004.00000020.sdmp | String found in binary or memory: http://urs-world.com/joomla/ych84zDRIp_2FF7IaYN0/GQoKhDOBhANEIsf1GP9/YE& |
Source: {5B8FC2C2-96F7-11EB-90E6-ECF4BB82F7E0}.dat.38.dr | String found in binary or memory: http://urs-world.com/joomla/ych84zDRIp_2FF7IaYN0/GQoKhDOBhANEIsf1GP9/YEQ6PJZPGUhJ_2BK96Ghup/vPTPDIHk |
Source: {297C5619-96F7-11EB-90E6-ECF4BB82F7E0}.dat.12.dr | String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e |
Source: authorize[1].htm.13.dr | String found in binary or memory: https://login.microsoftonline.com/error?code=50058 |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt- |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine- |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/other/karl-lauterbach-der-blitzableiter-der-republik/ar-BB1fiI |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/nachtleben-in-israel-eine-nacht-wie-fr |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/news/other/abdullah-sollte-von-erdogan-lernen/ar-BB1fktw7?ocid=BingHPC |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj |
Source: msnpopularnow[1].json.13.dr | String found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f |
Source: Yara match | File source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001D9F NtMapViewOfSection, | 0_2_10001D9F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset, | 0_2_10001EB5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10002375 NtQueryVirtualMemory, | 0_2_10002375 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_026783B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, | 0_2_026783B7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0267B341 NtQueryVirtualMemory, | 0_2_0267B341 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_034483B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, | 3_2_034483B7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0344B341 NtQueryVirtualMemory, | 3_2_0344B341 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259348F | 0_2_0259348F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 | 0_2_02594859 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259554B | 0_2_0259554B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259237B | 0_2_0259237B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B | 0_2_0259247B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02591374 | 0_2_02591374 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02595C76 | 0_2_02595C76 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259596E | 0_2_0259596E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02591918 | 0_2_02591918 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02593314 | 0_2_02593314 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02591000 | 0_2_02591000 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02596424 | 0_2_02596424 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02593BDB | 0_2_02593BDB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02595AF6 | 0_2_02595AF6 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_025928EB | 0_2_025928EB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_025952EC | 0_2_025952EC |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_025920EE | 0_2_025920EE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02591B95 | 0_2_02591B95 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02593A85 | 0_2_02593A85 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02593FA8 | 0_2_02593FA8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10002154 | 0_2_10002154 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02674094 | 0_2_02674094 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0267B11C | 0_2_0267B11C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_026797F2 | 0_2_026797F2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D348F | 2_2_012D348F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D6424 | 2_2_012D6424 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D1000 | 2_2_012D1000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D1918 | 2_2_012D1918 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D3314 | 2_2_012D3314 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D596E | 2_2_012D596E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D247B | 2_2_012D247B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D1374 | 2_2_012D1374 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D5C76 | 2_2_012D5C76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D554B | 2_2_012D554B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D4859 | 2_2_012D4859 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D3FA8 | 2_2_012D3FA8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D238F | 2_2_012D238F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D3A85 | 2_2_012D3A85 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D1B95 | 2_2_012D1B95 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D52EC | 2_2_012D52EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D20EE | 2_2_012D20EE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D28EB | 2_2_012D28EB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D5AF6 | 2_2_012D5AF6 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_012D3BDB | 2_2_012D3BDB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0339348F | 3_2_0339348F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03396424 | 3_2_03396424 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03391918 | 3_2_03391918 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03393314 | 3_2_03393314 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03391000 | 3_2_03391000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0339237B | 3_2_0339237B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0339247B | 3_2_0339247B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03391374 | 3_2_03391374 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03395C76 | 3_2_03395C76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0339596E | 3_2_0339596E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03394859 | 3_2_03394859 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0339554B | 3_2_0339554B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03393FA8 | 3_2_03393FA8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03391B95 | 3_2_03391B95 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03393A85 | 3_2_03393A85 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03395AF6 | 3_2_03395AF6 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_033928EB | 3_2_033928EB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_033952EC | 3_2_033952EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_033920EE | 3_2_033920EE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03393BDB | 3_2_03393BDB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0344B11C | 3_2_0344B11C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_034497F2 | 3_2_034497F2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03444094 | 3_2_03444094 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_2.gif.dll,StartService | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1 | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2 | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:17410 /prefetch:2 | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:82952 /prefetch:2 | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_2.gif.dll,StartService | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_2.gif.dll',#1 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7144 CREDAT:82952 /prefetch:2 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02596194 push eax; mov dword ptr [esp], 00000004h | 0_2_025961AF |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02596194 push esi; mov dword ptr [esp], 00001000h | 0_2_025961B7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02596194 push 00000000h; mov dword ptr [esp], ebp | 0_2_02596267 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx | 0_2_025934A1 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx | 0_2_02593632 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259348F push 00000000h; mov dword ptr [esp], edx | 0_2_025937FE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259348F push edx; mov dword ptr [esp], 00000002h | 0_2_0259384A |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259348F push 00000000h; mov dword ptr [esp], ecx | 0_2_025938D7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi | 0_2_025948B7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push dword ptr [ebp-10h]; mov dword ptr [esp], edx | 0_2_0259490D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push 00000000h; mov dword ptr [esp], ecx | 0_2_02594918 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push dword ptr [ebp-10h]; mov dword ptr [esp], edi | 0_2_02594990 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx | 0_2_02594A23 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push 00000000h; mov dword ptr [esp], ebp | 0_2_02594A2E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push ebx; mov dword ptr [esp], 00000001h | 0_2_02594AD0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 0_2_02594BE3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push 00000000h; mov dword ptr [esp], edx | 0_2_02594C36 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi | 0_2_02594D62 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push 00000000h; mov dword ptr [esp], edx | 0_2_02594D67 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02594859 push 00000000h; mov dword ptr [esp], ecx | 0_2_02594D74 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259237B push 00000000h; mov dword ptr [esp], edi | 0_2_02592502 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259237B push 00000000h; mov dword ptr [esp], ecx | 0_2_02592524 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259237B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx | 0_2_0259269D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259237B push dword ptr [ebp-10h]; mov dword ptr [esp], esi | 0_2_02592737 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259237B push edi; mov dword ptr [esp], 00000004h | 0_2_02592759 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B push 00000000h; mov dword ptr [esp], eax | 0_2_02592498 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B push 00000000h; mov dword ptr [esp], edi | 0_2_02592502 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B push 00000000h; mov dword ptr [esp], ecx | 0_2_02592524 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx | 0_2_0259269D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B push dword ptr [ebp-10h]; mov dword ptr [esp], esi | 0_2_02592737 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0259247B push edi; mov dword ptr [esp], 00000004h | 0_2_02592759 |
Source: Yara match | File source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_026712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, | 0_2_026712D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_034412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, | 3_2_034412D4 |
Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmp | Binary or memory string: uProgram Manager |
Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.492800855.0000000001180000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.494160905.0000000003970000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, | 0_2_1000102F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0267269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, | 0_2_0267269C |
Source: Yara match | File source: 00000000.00000002.492240511.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.260825998.0000000001060000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.492614087.0000000001330000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1330000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.bd0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.1060000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000003.334082249.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334133428.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321638626.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321709185.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334122359.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321582588.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321610032.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321662691.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.494742479.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321684389.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.480594234.0000000002F7F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334100411.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321545910.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334161617.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.334180863.000000000317B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.415230609.000000000307D000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.321698074.0000000005A78000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5408, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 3544, type: MEMORY |