{"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq | Avira URL Cloud: Label: malware |
Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo | Avira URL Cloud: Label: malware |
Source: 00000005.00000003.323666044.0000000002AB0000.00000040.00000001.sdmp | Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"} |
Source: global traffic | HTTP traffic detected: GET /INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2485 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C1B9C GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C1EC7 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2485 NtQueryVirtualMemory, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2264 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E2237EA |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23F1F0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23D7C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23DFD2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E224510 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E291D40 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E237200 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E23A216 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E221010 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E2308E5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E22A9D3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2237EA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23F1F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23D7C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23DFD2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E224510 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E291D40 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E237200 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E23A216 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E221010 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2308E5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E22A9D3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: String function: 6E220F70 appears 31 times |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: String function: 6E220F70 appears 31 times |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SecuriteInfo.com..7135.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2200 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C2253 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E220FB5 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1D0B16 pushad ; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1CEBB5 pushfd ; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1D2807 pushad ; retf |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1D10D4 push 04853024h; retf |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2200 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1C2253 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E220FB5 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1D0B16 pushad ; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1CEBB5 pushfd ; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1D2807 pushad ; retf |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E1D10D4 push 04853024h; retf |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E297188 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E2970BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E296CC5 push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E297188 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E2970BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E296CC5 push dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E225EA1 SetUnhandledExceptionFilter, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E225EA1 SetUnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
Source: C:\Windows\System32\loaddll32.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, |
Source: C:\Windows\System32\loaddll32.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C1C7D SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E1C1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.