Source: 49vodysf.club |
Virustotal: Detection: 6% |
Perma Link |
Source: nazamoskaotp.xyz |
Virustotal: Detection: 5% |
Perma Link |
Source: aFqZ2vCizZ.dll |
Virustotal: Detection: 7% |
Perma Link |
Source: aFqZ2vCizZ.dll |
ReversingLabs: Detection: 51% |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR |
Source: aFqZ2vCizZ.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: aFqZ2vCizZ.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: c:\found\21\50\70\Them\43\35\40\Dad\60\cook.pdb source: loaddll32.exe, 00000001.00000002.471079471.000000006E16D000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.472688978.000000006E16D000.00000002.00020000.sdmp, aFqZ2vCizZ.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1651B4 FindFirstFileExA, |
1_2_6E1651B4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E1651B4 FindFirstFileExA, |
5_2_6E1651B4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\System32\loaddll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\System32\loaddll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\System32\loaddll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\System32\loaddll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: nazamoskaotp.xyz |
Source: C:\Windows\System32\loaddll32.exe |
DNS query: nazamoskaotp.xyz |
Source: |
DNS query: nazamoskaotp.xyz |
Source: |
DNS query: nazamoskaotp.xyz |
Source: unknown |
DNS traffic detected: query: nazamoskaotp.xyz replaycode: Server failure (2) |
Source: unknown |
DNS traffic detected: query: 49vodysf.club replaycode: Server failure (2) |
Source: unknown |
DNS traffic detected: queries for: nazamoskaotp.xyz |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0 |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08 |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: loaddll32.exe, 00000001.00000002.469315984.0000000001671000.00000004.00000020.sdmp |
String found in binary or memory: https://49vodysf.club/ |
Source: loaddll32.exe, 00000001.00000003.442595897.0000000001667000.00000004.00000001.sdmp |
String found in binary or memory: https://49vodysf.club/Z |
Source: loaddll32.exe, 00000001.00000003.374734261.0000000001667000.00000004.00000001.sdmp |
String found in binary or memory: https://49vodysf.club/e |
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.469357450.000000000167C000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.442595897.0000000001667000.00000004.00000001.sdmp |
String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000 |
Source: loaddll32.exe, 00000001.00000003.374700540.0000000001673000.00000004.00000001.sdmp |
String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000$ |
Source: loaddll32.exe, 00000001.00000002.469315984.0000000001671000.00000004.00000020.sdmp |
String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF000000000000000000$ |
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp |
String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000g |
Source: loaddll32.exe, 00000001.00000003.442660303.000000000167C000.00000004.00000001.sdmp |
String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000ze6Q |
Source: loaddll32.exe, 00000001.00000003.363811459.000000000165A000.00000004.00000001.sdmp |
String found in binary or memory: https://nazamoskaotp.xyz/ |
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.363828561.0000000001667000.00000004.00000001.sdmp |
String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000 |
Source: loaddll32.exe, 00000001.00000003.430907985.0000000001674000.00000004.00000001.sdmp |
String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000$ |
Source: loaddll32.exe, 00000001.00000003.430917491.000000000167C000.00000004.00000001.sdmp |
String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000e |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: aFqZ2vCizZ.dll |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: loaddll32.exe, 00000001.00000002.469054338.000000000162B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: 49vodysf.club |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: 49vodysf.club |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: 49vodysf.club |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: 49vodysf.club |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
DNS query: name: 49vodysf.club |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E155A80 |
1_2_6E155A80 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E154FD0 |
1_2_6E154FD0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E146C30 |
1_2_6E146C30 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E162D1F |
1_2_6E162D1F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E147810 |
1_2_6E147810 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E155A80 |
5_2_6E155A80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E154FD0 |
5_2_6E154FD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E147810 |
5_2_6E147810 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E146C30 |
5_2_6E146C30 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E162D1F |
5_2_6E162D1F |
Source: aFqZ2vCizZ.dll |
Static PE information: invalid certificate |
Source: aFqZ2vCizZ.dll |
Binary or memory string: OriginalFilenamecook.dll8 vs aFqZ2vCizZ.dll |
Source: aFqZ2vCizZ.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine |
Classification label: mal96.troj.evad.winDLL@7/0@24/0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
File created: C:\Users\user\AppData\Local\gaziizac32\ |
Jump to behavior |
Source: aFqZ2vCizZ.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure |
Source: aFqZ2vCizZ.dll |
Virustotal: Detection: 7% |
Source: aFqZ2vCizZ.dll |
ReversingLabs: Detection: 51% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1 |
Jump to behavior |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: aFqZ2vCizZ.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: aFqZ2vCizZ.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\found\21\50\70\Them\43\35\40\Dad\60\cook.pdb source: loaddll32.exe, 00000001.00000002.471079471.000000006E16D000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.472688978.000000006E16D000.00000002.00020000.sdmp, aFqZ2vCizZ.dll |
Source: aFqZ2vCizZ.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: aFqZ2vCizZ.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: aFqZ2vCizZ.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: aFqZ2vCizZ.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: aFqZ2vCizZ.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E14EF9C push dword ptr [ebx-1AD723F2h]; retf |
1_2_6E14EFC7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E158B76 push ecx; ret |
1_2_6E158B89 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1589C1 push ecx; ret |
1_2_6E1589D4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1851BC push dword ptr [ebx-1AD723F2h]; retf |
1_2_6E1851E7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E158B76 push ecx; ret |
5_2_6E158B89 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E1589C1 push ecx; ret |
5_2_6E1589D4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E1851BC push dword ptr [ebx-1AD723F2h]; retf |
5_2_6E1851E7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1415E6 wsprintfA, |
1_2_6E1415E6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 000000006E141627 second address: 000000006E141647 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 000000006E141647 second address: 000000006E141627 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F9544BB979Ah 0x0000000c jc 00007F9544BB9759h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F9544BB9758h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F9544BB978Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F9544BB96D5h 0x00000020 rdtsc |
Source: C:\Windows\System32\loaddll32.exe |
RDTSC instruction interceptor: First address: 000000006E141627 second address: 000000006E141647 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc |
Source: C:\Windows\System32\loaddll32.exe |
RDTSC instruction interceptor: First address: 000000006E141647 second address: 000000006E141627 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F9544BB979Ah 0x0000000c jc 00007F9544BB9759h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F9544BB9758h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F9544BB978Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F9544BB96D5h 0x00000020 rdtsc |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E14171A rdtsc |
1_2_6E14171A |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 4.4 % |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1651B4 FindFirstFileExA, |
1_2_6E1651B4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E1651B4 FindFirstFileExA, |
5_2_6E1651B4 |
Source: loaddll32.exe, 00000001.00000002.469054338.000000000162B000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E14171A rdtsc |
1_2_6E14171A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_6E15CCFF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E15E9A8 mov eax, dword ptr fs:[00000030h] |
1_2_6E15E9A8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1842F8 mov eax, dword ptr fs:[00000030h] |
1_2_6E1842F8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E183E36 push dword ptr fs:[00000030h] |
1_2_6E183E36 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E18422E mov eax, dword ptr fs:[00000030h] |
1_2_6E18422E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E15E9A8 mov eax, dword ptr fs:[00000030h] |
5_2_6E15E9A8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E1842F8 mov eax, dword ptr fs:[00000030h] |
5_2_6E1842F8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E183E36 push dword ptr fs:[00000030h] |
5_2_6E183E36 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E18422E mov eax, dword ptr fs:[00000030h] |
5_2_6E18422E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E141130 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, |
1_2_6E141130 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E158EAF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_6E158EAF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_6E15CCFF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E158D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_6E158D8D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E158EAF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
5_2_6E158EAF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_6E15CCFF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 5_2_6E158D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_6E158D8D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Domain query: nazamoskaotp.xyz |
Source: C:\Windows\SysWOW64\rundll32.exe |
Domain query: 49vodysf.club |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1 |
Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1415E6 cpuid |
1_2_6E1415E6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
1_2_6E167F19 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
1_2_6E1677B5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
1_2_6E161C56 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
1_2_6E167DF0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
1_2_6E167A2D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
1_2_6E167A78 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
1_2_6E167B13 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
1_2_6E168020 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
1_2_6E1618B1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
1_2_6E1680ED |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
5_2_6E167A2D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
5_2_6E167A78 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
5_2_6E167B13 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
5_2_6E167F19 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
5_2_6E1677B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
5_2_6E168020 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
5_2_6E161C56 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
5_2_6E1618B1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
5_2_6E1680ED |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
5_2_6E167DF0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1590AA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
1_2_6E1590AA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_6E1414D2 GetUserNameA, |
1_2_6E1414D2 |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR |