Source: 3.2.rundll32.exe.4e994a0.2.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: iJdlvBxhYu.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: iJdlvBxhYu.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
3_2_0100896F |
Source: Joe Sandbox View |
IP Address: 40.97.128.194 40.97.128.194 |
Source: global traffic |
HTTP traffic detected: GET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: outlook.com |
Source: ~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.dr |
String found in binary or memory: https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49727 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49729 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49728 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49729 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49728 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49727 |
Source: Yara match |
File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1023A5 NtQueryVirtualMemory, |
0_2_6E1023A5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E10101B NtMapViewOfSection, |
3_2_6E10101B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E10145E GetProcAddress,NtCreateSection,memset, |
3_2_6E10145E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1023A5 NtQueryVirtualMemory, |
3_2_6E1023A5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_01001724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
3_2_01001724 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0100B301 NtQueryVirtualMemory, |
3_2_0100B301 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E102184 |
0_2_6E102184 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E14AF51 |
0_2_6E14AF51 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E146700 |
0_2_6E146700 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E169DAE |
0_2_6E169DAE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E163A47 |
0_2_6E163A47 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E167AB1 |
0_2_6E167AB1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E154B3B |
0_2_6E154B3B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E16035D |
0_2_6E16035D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1628C3 |
0_2_6E1628C3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E14C100 |
0_2_6E14C100 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E102184 |
3_2_6E102184 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_01003977 |
3_2_01003977 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_01008045 |
3_2_01008045 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_010062D8 |
3_2_010062D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0100B0DC |
3_2_0100B0DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E14AF51 |
3_2_6E14AF51 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E146700 |
3_2_6E146700 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E169DAE |
3_2_6E169DAE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E163A47 |
3_2_6E163A47 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E167AB1 |
3_2_6E167AB1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E154B3B |
3_2_6E154B3B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E16035D |
3_2_6E16035D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1628C3 |
3_2_6E1628C3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E14C100 |
3_2_6E14C100 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: String function: 6E14B2D0 appears 32 times |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: String function: 6E14B2D0 appears 32 times |
|
Source: iJdlvBxhYu.dll |
Binary or memory string: OriginalFilenameturn.dll8 vs iJdlvBxhYu.dll |
Source: iJdlvBxhYu.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: iJdlvBxhYu.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal60.troj.winDLL@12/5@3/4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_010024C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
3_2_010024C7 |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.dat |
Jump to behavior |
Source: iJdlvBxhYu.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: iJdlvBxhYu.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: iJdlvBxhYu.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll |
Source: iJdlvBxhYu.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: iJdlvBxhYu.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: iJdlvBxhYu.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: iJdlvBxhYu.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: iJdlvBxhYu.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E10160D LoadLibraryA,GetProcAddress, |
0_2_6E10160D |
Source: iJdlvBxhYu.dll |
Static PE information: real checksum: 0x8203c should be: 0x7fedb |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E102120 push ecx; ret |
0_2_6E102129 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E102173 push ecx; ret |
0_2_6E102183 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E11420E push es; ret |
0_2_6E11420F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E11423B push ebx; ret |
0_2_6E11424E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E14B315 push ecx; ret |
0_2_6E14B328 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1143C5 push ebp; ret |
0_2_6E1143CE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E18221D push eax; retf |
0_2_6E182220 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E182BB6 push ecx; ret |
0_2_6E182BD1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E102120 push ecx; ret |
3_2_6E102129 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E102173 push ecx; ret |
3_2_6E102183 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0100AD10 push ecx; ret |
3_2_0100AD19 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0100B0CB push ecx; ret |
3_2_0100B0DB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E11420E push es; ret |
3_2_6E11420F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E11423B push ebx; ret |
3_2_6E11424E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E14B315 push ecx; ret |
3_2_6E14B328 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1143C5 push ebp; ret |
3_2_6E1143CE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E115842 push esp; ret |
3_2_6E11588C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E18221D push eax; retf |
3_2_6E182220 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E182BB6 push ecx; ret |
3_2_6E182BD1 |
Source: Yara match |
File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
3_2_0100896F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E14C6CB _memset,IsDebuggerPresent, |
0_2_6E14C6CB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E152CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, |
0_2_6E152CFE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E10160D LoadLibraryA,GetProcAddress, |
0_2_6E10160D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E181302 mov eax, dword ptr fs:[00000030h] |
0_2_6E181302 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E181238 mov eax, dword ptr fs:[00000030h] |
0_2_6E181238 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E180E3F push dword ptr fs:[00000030h] |
0_2_6E180E3F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E181302 mov eax, dword ptr fs:[00000030h] |
3_2_6E181302 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E181238 mov eax, dword ptr fs:[00000030h] |
3_2_6E181238 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E180E3F push dword ptr fs:[00000030h] |
3_2_6E180E3F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E151090 SetUnhandledExceptionFilter, |
0_2_6E151090 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1510C1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E151090 SetUnhandledExceptionFilter, |
3_2_6E151090 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6E1510C1 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_6E16770D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen, |
0_2_6E1677BA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
0_2_6E1675E3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
0_2_6E151A40 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
0_2_6E167292 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
0_2_6E151AC6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
0_2_6E1672EE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
0_2_6E16736B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, |
0_2_6E1673EE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
0_2_6E16701E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
0_2_6E15185F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
0_2_6E14A8B9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, |
3_2_6E16770D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen, |
3_2_6E1677BA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
3_2_6E1675E3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
3_2_6E151A40 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
3_2_6E167292 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
3_2_6E151AC6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
3_2_6E1672EE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
3_2_6E16736B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, |
3_2_6E1673EE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
3_2_6E16701E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
3_2_6E15185F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
3_2_6E14A8B9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E101D6E SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_6E101D6E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_01007EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
3_2_01007EC1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E14CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, |
0_2_6E14CFA3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E101800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_6E101800 |
Source: Yara match |
File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY |