Source: 4.2.rundll32.exe.4c894a0.3.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: 609a460e94791.tiff.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Jump to behavior |
Source: 609a460e94791.tiff.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000001.00000002.727825463.000000006E20B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.730325292.000000006E20B000.00000002.00020000.sdmp, 609a460e94791.tiff.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
1_2_6E1E5AB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C94C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
4_2_02C94C3B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
4_2_6E1E5AB0 |
Source: Joe Sandbox View |
IP Address: 40.97.161.50 40.97.161.50 |
Source: global traffic |
HTTP traffic detected: GET /login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: outlook.com |
Source: ~DF6A2029352AAD8EB0.TMP.18.dr, {7A4756FC-B284-11EB-90E5-ECF4BB2D2496}.dat.18.dr |
String found in binary or memory: https://outlook.office365.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBa |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: Yara match |
File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY |
Source: loaddll32.exe, 00000001.00000002.722729913.00000000016AB000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E171F14 NtMapViewOfSection, |
1_2_6E171F14 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1715F1 GetProcAddress,NtCreateSection,memset, |
1_2_6E1715F1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1723A5 NtQueryVirtualMemory, |
1_2_6E1723A5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C91168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
4_2_02C91168 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C9B2F1 NtQueryVirtualMemory, |
4_2_02C9B2F1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E172184 |
1_2_6E172184 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C9B0CC |
4_2_02C9B0CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C9696A |
4_2_02C9696A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C91B6A |
4_2_02C91B6A |
Source: 609a460e94791.tiff.dll |
Binary or memory string: OriginalFilenamefall.dll8 vs 609a460e94791.tiff.dll |
Source: 609a460e94791.tiff.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal64.troj.winDLL@14/5@3/3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C97F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
4_2_02C97F56 |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A4756FA-B284-11EB-90E5-ECF4BB2D2496}.dat |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF745550B0ECD73E02.TMP |
Jump to behavior |
Source: 609a460e94791.tiff.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Program Files\internet explorer\iexplore.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Jump to behavior |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 609a460e94791.tiff.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 609a460e94791.tiff.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000001.00000002.727825463.000000006E20B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.730325292.000000006E20B000.00000002.00020000.sdmp, 609a460e94791.tiff.dll |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 609a460e94791.tiff.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1717FA LoadLibraryA,GetProcAddress, |
1_2_6E1717FA |
Source: 609a460e94791.tiff.dll |
Static PE information: real checksum: 0xdacb0 should be: 0xd1c24 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E172120 push ecx; ret |
1_2_6E172129 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E172173 push ecx; ret |
1_2_6E172183 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E2406DB push ebp; retf 0000h |
1_2_6E2406DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C9B0BB push ecx; ret |
4_2_02C9B0CB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C9AD00 push ecx; ret |
4_2_02C9AD09 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E2406DB push ebp; retf 0000h |
4_2_6E2406DC |
Source: Yara match |
File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1A11D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
1_2_6E1A11D0 |
Source: C:\Windows\System32\loaddll32.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
1_2_6E1E5AB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C94C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
4_2_02C94C3B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, |
4_2_6E1E5AB0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_6E1A36C0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1E0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, |
1_2_6E1E0480 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1717FA LoadLibraryA,GetProcAddress, |
1_2_6E1717FA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1E4E20 mov ecx, dword ptr fs:[00000030h] |
1_2_6E1E4E20 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1E4CE0 mov ecx, dword ptr fs:[00000030h] |
1_2_6E1E4CE0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1E4D80 mov ecx, dword ptr fs:[00000030h] |
1_2_6E1E4D80 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1B7960 mov eax, dword ptr fs:[00000030h] |
1_2_6E1B7960 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E23C536 mov eax, dword ptr fs:[00000030h] |
1_2_6E23C536 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E23C46C mov eax, dword ptr fs:[00000030h] |
1_2_6E23C46C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E23C073 push dword ptr fs:[00000030h] |
1_2_6E23C073 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1E4E20 mov ecx, dword ptr fs:[00000030h] |
4_2_6E1E4E20 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1E4CE0 mov ecx, dword ptr fs:[00000030h] |
4_2_6E1E4CE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1E4D80 mov ecx, dword ptr fs:[00000030h] |
4_2_6E1E4D80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1B7960 mov eax, dword ptr fs:[00000030h] |
4_2_6E1B7960 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E23C536 mov eax, dword ptr fs:[00000030h] |
4_2_6E23C536 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E23C46C mov eax, dword ptr fs:[00000030h] |
4_2_6E23C46C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E23C073 push dword ptr fs:[00000030h] |
4_2_6E23C073 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_6E1A36C0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1B4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_6E1B4F60 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1A38F0 SetUnhandledExceptionFilter, |
1_2_6E1A38F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1A3990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_6E1A3990 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_6E1A36C0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1B4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_6E1B4F60 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1A38F0 SetUnhandledExceptionFilter, |
4_2_6E1A38F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E1A3990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_6E1A3990 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C92D6E cpuid |
4_2_02C92D6E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E171237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
1_2_6E171237 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02C92D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
4_2_02C92D6E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E171CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
1_2_6E171CDD |
Source: Yara match |
File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY |