{"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Source: 00000004.00000003.400598077.0000000003050000.00000040.00000001.sdmp | Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"} |
Source: 4.2.rundll32.exe.30e0000.2.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 0.2.loaddll32.exe.10e0000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: | Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll |
Source: Yara match | File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: loaddll32.exe, 00000000.00000002.480410281.000000000171B000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Yara match | File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E1B9C GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E1EC7 NtMapViewOfSection, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E2485 NtQueryVirtualMemory, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D8005 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030E1B9C GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030E1EC7 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030E2485 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_04972485 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F11EC7 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F11B9C GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F12485 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_03292D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_03298005 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02EE1EC7 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02EE1B9C GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02EE2485 NtQueryVirtualMemory, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E2264 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D3109 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D7DE0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D2206 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01115A90 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011225D0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011217F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030E2264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03115A90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_031217F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_031225D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_04972264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049A5A90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049B25D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049B17F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F12264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_03293109 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_03297DE0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_03292206 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F45A90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F517F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F525D0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02EE2264 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F15A90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F217F0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F225D0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3d0.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: 3d0.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 3d0.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 3d0.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 3d0.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 3d0.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 3d0.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: | Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll |
Source: 3d0.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 3d0.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 3d0.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 3d0.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 3d0.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E2200 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E2253 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D7DCF push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011D7A60 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010F0815 push esi; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010F4391 pushfd ; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010EE204 push ebx; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010F45B9 push ds; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010F266E push eax; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010F4ECD push ebx; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01157D0C push edx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0115773B push esp; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01156D42 push ebp; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011574B3 push ebx; retf |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030E2200 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030E2253 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030F4391 pushfd ; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030EE204 push ebx; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030F0815 push esi; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030F266E push eax; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030F4ECD push ebx; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_030F45B9 push ds; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03157D0C push edx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0315773B push esp; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03156D42 push ebp; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_031574B3 push ebx; retf |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_04972200 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_04972253 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049845B9 push ds; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_04984ECD push ebx; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_0498266E push eax; ret |
Source: Yara match | File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01154F71 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01154EA7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01154AAE push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03154F71 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03154EA7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03154AAE push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049E4F71 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049E4AAE push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049E4EA7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F84F71 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F84AAE push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F84EA7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F54F71 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F54EA7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F54AAE push dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0111B900 GetProcessHeap,RtlAllocateHeap,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_init,__mtinit,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__heap_term,___setargv,__setenvp,__cinit,__ioterm,__mtterm,__heap_term,__CrtSetDbgFlag,__CrtDumpMemoryLeaks,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__encode_pointer,__initptd,GetCurrentThreadId,__freeptd, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0111C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0111DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_01120680 SetUnhandledExceptionFilter,__encode_pointer, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_011206B0 __encode_pointer,SetUnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0311C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0311B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03120680 SetUnhandledExceptionFilter,__encode_pointer, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_031206B0 __encode_pointer,SetUnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0311DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049ADC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049B0680 SetUnhandledExceptionFilter,__encode_pointer, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049B06B0 __encode_pointer,SetUnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049AB8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_049AC060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F4B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F4C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F506B0 __encode_pointer,SetUnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F50680 SetUnhandledExceptionFilter,__encode_pointer, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_02F4DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F1B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F1C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F206B0 __encode_pointer,SetUnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F20680 SetUnhandledExceptionFilter,__encode_pointer, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 8_2_02F1DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 7_2_03294454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_010E1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
Source: Yara match | File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.