{"C2 list": ["https://jiaayanu.com/post.php", "https://investinszeklerland.eu/post.php", "https://iqs-sac.com/post.php", "https://jciems.in/post.php", "https://jinnahofficersschool.com/post.php", "https://kancagh.com/post.php"], "RC4 Key": "dh8f3@3hdf#hsf23", "Botnet": "nut", "Campaign": "13/04"}
Source: 5.3.rundll32.exe.4975cf4.0.raw.unpack | Malware Configuration Extractor: ZLoader {"C2 list": ["https://jiaayanu.com/post.php", "https://investinszeklerland.eu/post.php", "https://iqs-sac.com/post.php", "https://jciems.in/post.php", "https://jinnahofficersschool.com/post.php", "https://kancagh.com/post.php"], "RC4 Key": "dh8f3@3hdf#hsf23", "Botnet": "nut", "Campaign": "13/04"} |
Source: LbSpXJz6Ey.dll | Virustotal: Detection: 39% | Perma Link |
Source: LbSpXJz6Ey.dll | Metadefender: Detection: 26% | Perma Link |
Source: LbSpXJz6Ey.dll | ReversingLabs: Detection: 44% |
Source: LbSpXJz6Ey.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: LbSpXJz6Ey.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: c:\position\Trade\Hair than\Sight.pdb source: loaddll32.exe, 00000001.00000002.646001738.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000004.00000002.661497710.000000006E217000.00000004.00020000.sdmp, rundll32.exe, 00000005.00000002.612708689.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.655853498.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.610813810.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000008.00000002.628765478.000000006E212000.00000004.00020000.sdmp, LbSpXJz6Ey.dll |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then movzx eax, word ptr [ebp+0Ch] | 4_2_6E19FA10 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then mov eax, dword ptr [edi-08h] | 4_2_6E1AB200 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then mov eax, esi | 4_2_6E1AFA40 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then test bl, bl | 4_2_6E1AAE80 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then push 68653F5Eh | 4_2_6E19F420 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then test ebx, ebx | 4_2_6E1A5C80 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then mov byte ptr [ebp+eax-50h], cl | 4_2_6E1A04E0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then push ebx | 4_2_6E1A9DA0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4x nop then lea ebx, dword ptr [ebp-34h] | 4_2_6E1AC9E0 |
Source: Malware configuration extractor | IPs: https://jiaayanu.com/post.php |
Source: Malware configuration extractor | IPs: https://investinszeklerland.eu/post.php |
Source: Malware configuration extractor | IPs: https://iqs-sac.com/post.php |
Source: Malware configuration extractor | IPs: https://jciems.in/post.php |
Source: Malware configuration extractor | IPs: https://jinnahofficersschool.com/post.php |
Source: Malware configuration extractor | IPs: https://kancagh.com/post.php |
Source: loaddll32.exe, 00000001.00000002.646024059.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.661511442.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.613754347.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.658068139.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.610821067.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.628771772.000000006E232000.00000002.00020000.sdmp, LbSpXJz6Ey.dll | String found in binary or memory: http://openspot.de |
Source: loaddll32.exe, 00000001.00000002.644850329.0000000000A7B000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: Yara match | File source: 00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.4975cf4.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.4975cf4.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2755cf4.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2755cf4.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1A9EA4 | 1_2_6E1A9EA4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1AA7F0 | 1_2_6E1AA7F0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1A9C63 | 1_2_6E1A9C63 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1AA57C | 1_2_6E1AA57C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1A9A31 | 1_2_6E1A9A31 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1AAA55 | 1_2_6E1AAA55 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1C7291 | 1_2_6E1C7291 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1AA317 | 1_2_6E1AA317 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E19DBDC | 1_2_6E19DBDC |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1AA0D6 | 1_2_6E1AA0D6 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1C7171 | 1_2_6E1C7171 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1A0230 | 4_2_6E1A0230 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E197C20 | 4_2_6E197C20 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E193880 | 4_2_6E193880 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E198CA0 | 4_2_6E198CA0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E192550 | 4_2_6E192550 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1961F0 | 4_2_6E1961F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1BDF30 | 4_2_6E1BDF30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C976C | 4_2_6E1C976C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1BE450 | 4_2_6E1BE450 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C7291 | 4_2_6E1C7291 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1BE880 | 4_2_6E1BE880 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C7171 | 4_2_6E1C7171 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C19BF | 4_2_6E1C19BF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1BDF30 | 5_2_6E1BDF30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1C976C | 5_2_6E1C976C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1BE450 | 5_2_6E1BE450 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1C7291 | 5_2_6E1C7291 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1BE880 | 5_2_6E1BE880 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1C7171 | 5_2_6E1C7171 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1C19BF | 5_2_6E1C19BF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1BDF30 | 6_2_6E1BDF30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1C976C | 6_2_6E1C976C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1BE450 | 6_2_6E1BE450 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1C7291 | 6_2_6E1C7291 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1BE880 | 6_2_6E1BE880 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1C7171 | 6_2_6E1C7171 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1C19BF | 6_2_6E1C19BF |
Source: C:\Windows\System32\loaddll32.exe | Code function: String function: 6E19AAE0 appears 41 times | |
Source: LbSpXJz6Ey.dll | Binary or memory string: OriginalFilenameSight.dllj% vs LbSpXJz6Ey.dll |
Source: LbSpXJz6Ey.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal68.troj.winDLL@13/0@0/1 |
Source: LbSpXJz6Ey.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8 |
Source: LbSpXJz6Ey.dll | Virustotal: Detection: 39% |
Source: LbSpXJz6Ey.dll | Metadefender: Detection: 26% |
Source: LbSpXJz6Ey.dll | ReversingLabs: Detection: 44% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_ExpectRemember@0 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Offmark@0 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Providesea@8 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_ExpectRemember@0 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Offmark@0 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Providesea@8 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 | Jump to behavior |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: LbSpXJz6Ey.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: LbSpXJz6Ey.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: c:\position\Trade\Hair than\Sight.pdb source: loaddll32.exe, 00000001.00000002.646001738.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000004.00000002.661497710.000000006E217000.00000004.00020000.sdmp, rundll32.exe, 00000005.00000002.612708689.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.655853498.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.610813810.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000008.00000002.628765478.000000006E212000.00000004.00020000.sdmp, LbSpXJz6Ey.dll |
Source: LbSpXJz6Ey.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: LbSpXJz6Ey.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: LbSpXJz6Ey.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: LbSpXJz6Ey.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: LbSpXJz6Ey.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: LbSpXJz6Ey.dll | Static PE information: real checksum: 0xb66e2 should be: 0xab31a |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1CAD03 push ecx; ret | 1_2_6E1CAD16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1AC720 push eax; ret | 4_2_6E1AC72A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1CAD03 push ecx; ret | 4_2_6E1CAD16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E1CAD03 push ecx; ret | 5_2_6E1CAD16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_6E1CAD03 push ecx; ret | 6_2_6E1CAD16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E19AE86 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_6E19AE86 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1ADFA0 mov eax, dword ptr fs:[00000030h] | 1_2_6E1ADFA0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1B726E mov eax, dword ptr fs:[00000030h] | 1_2_6E1B726E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E19F2B0 mov eax, dword ptr fs:[00000030h] | 4_2_6E19F2B0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2144D9 mov eax, dword ptr fs:[00000030h] | 4_2_6E2144D9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E21440F mov eax, dword ptr fs:[00000030h] | 4_2_6E21440F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E214016 push dword ptr fs:[00000030h] | 4_2_6E214016 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E2144D9 mov eax, dword ptr fs:[00000030h] | 5_2_6E2144D9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E21440F mov eax, dword ptr fs:[00000030h] | 5_2_6E21440F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_6E214016 push dword ptr fs:[00000030h] | 5_2_6E214016 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E19AE86 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_6E19AE86 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E1AD780 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_6E1AD780 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E19A7A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_6E19A7A8 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 | Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmp | Binary or memory string: &Program Manager |
Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E19ACA6 cpuid | 1_2_6E19ACA6 |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, | 1_2_6E1B1254 |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, | 1_2_6E1B1154 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 4_2_6E1C26FE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, | 4_2_6E1C1F54 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 4_2_6E1C25D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 4_2_6E1C225F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 4_2_6E1C22FA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, | 4_2_6E1C2385 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 4_2_6E1C2804 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, | 4_2_6E1C28D3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 4_2_6E1C21F6 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 5_2_6E1C26FE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, | 5_2_6E1C1F54 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 5_2_6E1C25D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 5_2_6E1C225F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 5_2_6E1C22FA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, | 5_2_6E1C2385 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 5_2_6E1C2804 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, | 5_2_6E1C28D3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 5_2_6E1C21F6 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 6_2_6E1C26FE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, | 6_2_6E1C1F54 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 6_2_6E1C25D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 6_2_6E1C225F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 6_2_6E1C22FA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, | 6_2_6E1C2385 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 6_2_6E1C2804 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, | 6_2_6E1C28D3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 6_2_6E1C21F6 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E19B08B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, | 1_2_6E19B08B |
Source: Yara match | File source: 00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.4975cf4.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.4975cf4.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2755cf4.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2755cf4.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.4975cf4.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.4975cf4.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2755cf4.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2755cf4.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE |