Source: 00000004.00000003.400598077.0000000003050000.00000040.00000001.sdmp |
Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"} |
Source: 4.2.rundll32.exe.30e0000.2.unpack |
Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 0.2.loaddll32.exe.10e0000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 3d0.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: |
Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll |
Source: unknown |
DNS traffic detected: queries for: authd.feronok.com |
Source: Yara match |
File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: loaddll32.exe, 00000000.00000002.480410281.000000000171B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E1B9C GetProcAddress,NtCreateSection,memset, |
0_2_010E1B9C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E1EC7 NtMapViewOfSection, |
0_2_010E1EC7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E2485 NtQueryVirtualMemory, |
0_2_010E2485 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
0_2_011D2D06 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D8005 NtQueryVirtualMemory, |
0_2_011D8005 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030E1B9C GetProcAddress,NtCreateSection,memset, |
4_2_030E1B9C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030E1EC7 NtMapViewOfSection, |
4_2_030E1EC7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030E2485 NtQueryVirtualMemory, |
4_2_030E2485 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04972485 NtQueryVirtualMemory, |
6_2_04972485 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F11EC7 NtMapViewOfSection, |
7_2_02F11EC7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F11B9C GetProcAddress,NtCreateSection,memset, |
7_2_02F11B9C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F12485 NtQueryVirtualMemory, |
7_2_02F12485 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_03292D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
7_2_03292D06 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_03298005 NtQueryVirtualMemory, |
7_2_03298005 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02EE1EC7 NtMapViewOfSection, |
8_2_02EE1EC7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02EE1B9C GetProcAddress,NtCreateSection,memset, |
8_2_02EE1B9C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02EE2485 NtQueryVirtualMemory, |
8_2_02EE2485 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E2264 |
0_2_010E2264 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D3109 |
0_2_011D3109 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D7DE0 |
0_2_011D7DE0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D2206 |
0_2_011D2206 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01115A90 |
0_2_01115A90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011225D0 |
0_2_011225D0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011217F0 |
0_2_011217F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030E2264 |
4_2_030E2264 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03115A90 |
4_2_03115A90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_031217F0 |
4_2_031217F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_031225D0 |
4_2_031225D0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04972264 |
6_2_04972264 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049A5A90 |
6_2_049A5A90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049B25D0 |
6_2_049B25D0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049B17F0 |
6_2_049B17F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F12264 |
7_2_02F12264 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_03293109 |
7_2_03293109 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_03297DE0 |
7_2_03297DE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_03292206 |
7_2_03292206 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F45A90 |
7_2_02F45A90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F517F0 |
7_2_02F517F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F525D0 |
7_2_02F525D0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02EE2264 |
8_2_02EE2264 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F15A90 |
8_2_02F15A90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F217F0 |
8_2_02F217F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F225D0 |
8_2_02F225D0 |
Source: 3d0.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal80.troj.winDLL@18/5@3/0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
0_2_011D513E |
Source: 3d0.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin |
Source: 3d0.dll |
Virustotal: Detection: 55% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3d0.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 3d0.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll |
Source: 3d0.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 3d0.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 3d0.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 3d0.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 3d0.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: 3d0.dll |
Static PE information: real checksum: 0x7cc80 should be: 0x7d379 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E2200 push ecx; ret |
0_2_010E2209 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E2253 push ecx; ret |
0_2_010E2263 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D7DCF push ecx; ret |
0_2_011D7DDF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011D7A60 push ecx; ret |
0_2_011D7A69 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010F0815 push esi; ret |
0_2_010F0859 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010F4391 pushfd ; ret |
0_2_010F4392 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010EE204 push ebx; iretd |
0_2_010EE20D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010F45B9 push ds; ret |
0_2_010F45ED |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010F266E push eax; ret |
0_2_010F266F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010F4ECD push ebx; iretd |
0_2_010F4EE9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01157D0C push edx; ret |
0_2_01157D0F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0115773B push esp; iretd |
0_2_0115774A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01156D42 push ebp; iretd |
0_2_01156D4E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011574B3 push ebx; retf |
0_2_011574B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030E2200 push ecx; ret |
4_2_030E2209 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030E2253 push ecx; ret |
4_2_030E2263 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030F4391 pushfd ; ret |
4_2_030F4392 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030EE204 push ebx; iretd |
4_2_030EE20D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030F0815 push esi; ret |
4_2_030F0859 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030F266E push eax; ret |
4_2_030F266F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030F4ECD push ebx; iretd |
4_2_030F4EE9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_030F45B9 push ds; ret |
4_2_030F45ED |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03157D0C push edx; ret |
4_2_03157D0F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0315773B push esp; iretd |
4_2_0315774A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03156D42 push ebp; iretd |
4_2_03156D4E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_031574B3 push ebx; retf |
4_2_031574B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04972200 push ecx; ret |
6_2_04972209 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04972253 push ecx; ret |
6_2_04972263 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049845B9 push ds; ret |
6_2_049845ED |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_04984ECD push ebx; iretd |
6_2_04984EE9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_0498266E push eax; ret |
6_2_0498266F |
Source: Yara match |
File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0111B8F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01154F71 mov eax, dword ptr fs:[00000030h] |
0_2_01154F71 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01154EA7 mov eax, dword ptr fs:[00000030h] |
0_2_01154EA7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01154AAE push dword ptr fs:[00000030h] |
0_2_01154AAE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03154F71 mov eax, dword ptr fs:[00000030h] |
4_2_03154F71 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03154EA7 mov eax, dword ptr fs:[00000030h] |
4_2_03154EA7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03154AAE push dword ptr fs:[00000030h] |
4_2_03154AAE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049E4F71 mov eax, dword ptr fs:[00000030h] |
6_2_049E4F71 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049E4AAE push dword ptr fs:[00000030h] |
6_2_049E4AAE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049E4EA7 mov eax, dword ptr fs:[00000030h] |
6_2_049E4EA7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F84F71 mov eax, dword ptr fs:[00000030h] |
7_2_02F84F71 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F84AAE push dword ptr fs:[00000030h] |
7_2_02F84AAE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F84EA7 mov eax, dword ptr fs:[00000030h] |
7_2_02F84EA7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F54F71 mov eax, dword ptr fs:[00000030h] |
8_2_02F54F71 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F54EA7 mov eax, dword ptr fs:[00000030h] |
8_2_02F54EA7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F54AAE push dword ptr fs:[00000030h] |
8_2_02F54AAE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0111B900 GetProcessHeap,RtlAllocateHeap,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_init,__mtinit,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__heap_term,___setargv,__setenvp,__cinit,__ioterm,__mtterm,__heap_term,__CrtSetDbgFlag,__CrtDumpMemoryLeaks,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__encode_pointer,__initptd,GetCurrentThreadId,__freeptd, |
0_2_0111B900 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0111C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0111C060 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0111B8F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0111DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0111DC70 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_01120680 SetUnhandledExceptionFilter,__encode_pointer, |
0_2_01120680 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_011206B0 __encode_pointer,SetUnhandledExceptionFilter, |
0_2_011206B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0311C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_0311C060 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0311B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_0311B8F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_03120680 SetUnhandledExceptionFilter,__encode_pointer, |
4_2_03120680 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_031206B0 __encode_pointer,SetUnhandledExceptionFilter, |
4_2_031206B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0311DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_0311DC70 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049ADC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_049ADC70 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049B0680 SetUnhandledExceptionFilter,__encode_pointer, |
6_2_049B0680 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049B06B0 __encode_pointer,SetUnhandledExceptionFilter, |
6_2_049B06B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049AB8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_049AB8F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_049AC060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_049AC060 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F4B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
7_2_02F4B8F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F4C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
7_2_02F4C060 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F506B0 __encode_pointer,SetUnhandledExceptionFilter, |
7_2_02F506B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F50680 SetUnhandledExceptionFilter,__encode_pointer, |
7_2_02F50680 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_02F4DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
7_2_02F4DC70 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F1B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
8_2_02F1B8F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F1C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
8_2_02F1C060 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F206B0 __encode_pointer,SetUnhandledExceptionFilter, |
8_2_02F206B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F20680 SetUnhandledExceptionFilter,__encode_pointer, |
8_2_02F20680 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_02F1DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
8_2_02F1DC70 |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
0_2_010E1E8A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoA, |
0_2_0112A8A0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
4_2_030E1E8A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
4_2_0312A8A0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
6_2_04971E8A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
6_2_049BA8A0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
7_2_02F11E8A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
7_2_02F5A8A0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
8_2_02EE1E8A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
8_2_02F2A8A0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, |
0_2_010E1144 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_03294454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
7_2_03294454 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_010E1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_010E1F10 |
Source: Yara match |
File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |