{"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack | Malware Configuration Extractor: Ursnif {"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"} |
Source: 0f.dll | Metadefender: Detection: 24% | Perma Link |
Source: 0f.dll | ReversingLabs: Detection: 78% |
Source: 5.2.rundll32.exe.10000000.2.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 1.2.loaddll32.exe.10000000.4.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
Source: 0f.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | DNS query: app5.folion.xyz |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | DNS query: app5.folion.xyz |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | DNS query: app5.folion.xyz |
Source: msapplication.xml0.19.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml0.19.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml5.19.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml5.19.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml7.19.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: msapplication.xml7.19.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmp | String found in binary or memory: http://app5.folion.xyz |
Source: {C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat.19.dr | String found in binary or memory: http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n |
Source: msapplication.xml.19.dr | String found in binary or memory: http://www.amazon.com/ |
Source: msapplication.xml1.19.dr | String found in binary or memory: http://www.google.com/ |
Source: msapplication.xml2.19.dr | String found in binary or memory: http://www.live.com/ |
Source: msapplication.xml3.19.dr | String found in binary or memory: http://www.nytimes.com/ |
Source: msapplication.xml4.19.dr | String found in binary or memory: http://www.reddit.com/ |
Source: msapplication.xml5.19.dr | String found in binary or memory: http://www.twitter.com/ |
Source: msapplication.xml6.19.dr | String found in binary or memory: http://www.wikipedia.com/ |
Source: msapplication.xml7.19.dr | String found in binary or memory: http://www.youtube.com/ |
Source: unknown | DNS traffic detected: queries for: app5.folion.xyz |
Source: Yara match | File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY |
Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Yara match | File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: 0f.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10002264 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F96609 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F97FA8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01377FA8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01376609 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF9305 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF1000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF3F1C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF3AAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF33AA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFBDAA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFB4AA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFA6BB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF59E4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFA4FC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF1BF7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF7FF1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF21C0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFA3DD |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF75DC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF2E21 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF810A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF2D03 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFC217 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF204B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF2F59 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF1458 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AFA257 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF1556 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_10002264 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10001B89 NtMapViewOfSection, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_100018D1 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10002485 NtQueryVirtualMemory, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F93CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F981CD NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01373CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_013781CD NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_10002485 NtQueryVirtualMemory, |
Source: 0f.dll | Metadefender: Detection: 24% |
Source: 0f.dll | ReversingLabs: Detection: 78% |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F919E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0f.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2 |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Temp\~DFCB4F6EF3903B6C34.TMP | Jump to behavior |
Source: classification engine | Classification label: mal96.troj.winDLL@10/19@3/0 |
Source: C:\Program Files\internet explorer\iexplore.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A push ebp; mov dword ptr [esp], FFFF0000h |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A push esi; mov dword ptr [esp], 000FFFFFh |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E9810A push 00000000h; mov dword ptr [esp], esi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E95B06 push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E95B06 push edi; mov dword ptr [esp], 00000003h |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_02E95B06 push ebx; mov dword ptr [esp], 00F00000h |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10002200 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10002253 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F9A2D8 pushad ; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F9A2D4 pushad ; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F9A294 pushad ; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F9B67C push ss; retf |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F97C20 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F97F97 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F9A169 pushad ; iretd |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F9B163 push edx; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_05155B06 push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_05155B06 push edi; mov dword ptr [esp], 00000003h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_05155B06 push ebx; mov dword ptr [esp], 00F00000h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A push ebp; mov dword ptr [esp], FFFF0000h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A push esi; mov dword ptr [esp], 000FFFFFh |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0515810A push 00000000h; mov dword ptr [esp], esi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0137B163 push edx; iretd |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01377F97 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01377C20 push ecx; ret |
Source: 0f.dll | Static PE information: section name: .code |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10001F31 LoadLibraryA,GetProcAddress, |
Source: Yara match | File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_04AF2D03 xor edx, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_10001F31 LoadLibraryA,GetProcAddress, |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 |
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F93946 cpuid |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_1000146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_100017A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00F93946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
Source: Yara match | File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.