{"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}
Source: 5.3.rundll32.exe.3468d29.0.raw.unpack | Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"} |
Source: presentation.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: | Binary string: c:\Friend\507\123\Rol\well W\Flower.pdb source: presentation.dll |
Source: global traffic | HTTP traffic detected: GET /bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FUVq6FVw/212_2Fmya7wvf6qm5/W9P25GOkXEp_/2B7Ii5Reomx/DNGUxpOts5V_2F/m1ZCLgb0yZELhr1HDh2za/sK1pwrtT_2FYeJvy/UKI9xt8zwa55YYh/KZ8_2FX9rMmmJgeD_2/F8QbTyDtN/gF0rE8FYow3_2Fnp33aS/fsqd8_2FyHPS0_2Bp5_/2FbtiZGb31ZO5pN2ppiKul/1QXBqN9S9lxCI/vSq83RG3/yyRImlzN5vRP_2Bwx60Qoqa/1yNTVkSL_2Bp8is/j0c4aw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive |
Source: unknown | DNS traffic detected: queries for: app.buboleinov.com |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 May 2021 10:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30 |
Source: {93F744B3-ADDB-11EB-90E6-ECF4BB82F7E0}.dat.21.dr, ~DF615A7858A33FDD4B.TMP.21.dr | String found in binary or memory: http://app.buboleinov.com/bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FU |
Source: Yara match | File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D642485 NtQueryVirtualMemory, | 1_2_6D642485 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D6418D1 GetProcAddress,NtCreateSection,memset, | 4_2_6D6418D1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D641B89 NtMapViewOfSection, | 4_2_6D641B89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D642485 NtQueryVirtualMemory, | 4_2_6D642485 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D642264 | 1_2_6D642264 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D67FCA8 | 1_2_6D67FCA8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D67495A | 1_2_6D67495A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D642264 | 4_2_6D642264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D67FCA8 | 4_2_6D67FCA8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D67495A | 4_2_6D67495A |
Source: presentation.dll | Binary or memory string: OriginalFilenameFlower.dll8 vs presentation.dll |
Source: presentation.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal68.troj.winDLL@12/13@1/1 |
Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93F744B1-ADDB-11EB-90E6-ECF4BB82F7E0}.dat | Jump to behavior |
Source: presentation.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\presentation.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Might | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Might | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: presentation.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: c:\Friend\507\123\Rol\well W\Flower.pdb source: presentation.dll |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D641F31 LoadLibraryA,GetProcAddress, | 1_2_6D641F31 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D642253 push ecx; ret | 1_2_6D642263 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D642200 push ecx; ret | 1_2_6D642209 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D64FD65 push FFFFFF88h; ret | 1_2_6D64FD71 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D651D31 push eax; iretd | 1_2_6D651D5B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D651C4E push ebx; iretd | 1_2_6D651C4F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D650C3D push ds; iretd | 1_2_6D650C49 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D650671 push esp; iretd | 1_2_6D650689 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D65061E push esp; iretd | 1_2_6D650689 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D6510C6 push ecx; ret | 1_2_6D6510CE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D654B4C push 45C295E6h; retf | 1_2_6D654B51 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D65534C push FFFFFFA4h; retf | 1_2_6D65534F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D655B13 pushfd ; retf | 1_2_6D655B75 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D6753C5 push ecx; ret | 1_2_6D6753D8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D68F0C5 push cs; iretd | 1_2_6D68F0CC |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D68FB2F push ebp; iretd | 1_2_6D68FB30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D642253 push ecx; ret | 4_2_6D642263 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D642200 push ecx; ret | 4_2_6D642209 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D64FD65 push FFFFFF88h; ret | 4_2_6D64FD71 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D651D31 push eax; iretd | 4_2_6D651D5B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D651C4E push ebx; iretd | 4_2_6D651C4F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D650C3D push ds; iretd | 4_2_6D650C49 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D65649F push ecx; retf | 4_2_6D656509 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D650671 push esp; iretd | 4_2_6D650689 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D65061E push esp; iretd | 4_2_6D650689 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D656101 push eax; ret | 4_2_6D656108 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D65700C push es; iretd | 4_2_6D657012 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D6510C6 push ecx; ret | 4_2_6D6510CE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D654B4C push 45C295E6h; retf | 4_2_6D654B51 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D65534C push FFFFFFA4h; retf | 4_2_6D65534F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D655B13 pushfd ; retf | 4_2_6D655B75 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D6753C5 push ecx; ret | 4_2_6D6753D8 |
Source: Yara match | File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D641F31 LoadLibraryA,GetProcAddress, | 1_2_6D641F31 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D68D1A5 mov eax, dword ptr fs:[00000030h] | 1_2_6D68D1A5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D68CCE2 push dword ptr fs:[00000030h] | 1_2_6D68CCE2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D68D0DB mov eax, dword ptr fs:[00000030h] | 1_2_6D68D0DB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D68D1A5 mov eax, dword ptr fs:[00000030h] | 4_2_6D68D1A5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D68CCE2 push dword ptr fs:[00000030h] | 4_2_6D68CCE2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6D68D0DB mov eax, dword ptr fs:[00000030h] | 4_2_6D68D0DB |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 | Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp | Binary or memory string: uProgram Manager |
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, | 1_2_6D641566 |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 1_2_6D67BDC3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, | 1_2_6D67C4D0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, | 1_2_6D67BE2F |
Source: C:\Windows\System32\loaddll32.exe | Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, | 1_2_6D67C9EE |
Source: C:\Windows\System32\loaddll32.exe | Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, | 1_2_6D6781A7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, | 4_2_6D641566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 4_2_6D67BDC3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, | 4_2_6D67C4D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, | 4_2_6D67BE2F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, | 4_2_6D67C9EE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, | 4_2_6D6781A7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D6417A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, | 1_2_6D6417A7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6D64146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, | 1_2_6D64146C |
Source: Yara match | File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.