{"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp | Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"} |
Source: 2e.dll | Virustotal: Detection: 65% | Perma Link |
Source: 2e.dll | Metadefender: Detection: 40% | Perma Link |
Source: 2e.dll | ReversingLabs: Detection: 82% |
Source: 2.2.rundll32.exe.30e0000.2.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 0.2.loaddll32.exe.e00000.1.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 2.2.rundll32.exe.10000000.3.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 0.2.loaddll32.exe.10000000.4.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 2e.dll | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, | 0_2_00FA7DD8 |
Source: Traffic | Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49792 -> 87.106.18.141:80 |
Source: Traffic | Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49792 -> 87.106.18.141:80 |
Source: Traffic | Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 87.106.18.141:80 |
Source: Joe Sandbox View | ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE |
Source: Joe Sandbox View | IP Address: 87.106.18.141 87.106.18.141 |
Source: Joe Sandbox View | IP Address: 87.106.18.141 87.106.18.141 |
Source: msapplication.xml0.15.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml0.15.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml5.15.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml5.15.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml7.15.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: msapplication.xml7.15.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp | String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P |
Source: {DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.dr | String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a |
Source: {C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.dr | String found in binary or memory: http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX |
Source: 2e.dll | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: 2e.dll | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: 2e.dll | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: msapplication.xml.15.dr | String found in binary or memory: http://www.amazon.com/ |
Source: msapplication.xml1.15.dr | String found in binary or memory: http://www.google.com/ |
Source: msapplication.xml2.15.dr | String found in binary or memory: http://www.live.com/ |
Source: msapplication.xml3.15.dr | String found in binary or memory: http://www.nytimes.com/ |
Source: msapplication.xml4.15.dr | String found in binary or memory: http://www.reddit.com/ |
Source: msapplication.xml5.15.dr | String found in binary or memory: http://www.twitter.com/ |
Source: msapplication.xml6.15.dr | String found in binary or memory: http://www.wikipedia.com/ |
Source: msapplication.xml7.15.dr | String found in binary or memory: http://www.youtube.com/ |
Source: 2e.dll | String found in binary or memory: https://sectigo.com/CPS0D |
Source: unknown | DNS traffic detected: queries for: api10.laptok.at |
Source: global traffic | HTTP traffic detected: GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive |
Source: Yara match | File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: 2e.dll | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_100021A4 | 0_2_100021A4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA40B3 | 0_2_00FA40B3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAAF44 | 0_2_00FAAF44 |
Source: 2e.dll | Static PE information: invalid certificate |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset, | 0_2_10001C22 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001AD1 NtMapViewOfSection, | 0_2_10001AD1 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001252 GetLastError,NtClose, | 0_2_10001252 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_100023C5 NtQueryVirtualMemory, | 0_2_100023C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, | 0_2_00FA7925 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAB169 NtQueryVirtualMemory, | 0_2_00FAB169 |
Source: 2e.dll | Virustotal: Detection: 65% |
Source: 2e.dll | Metadefender: Detection: 40% |
Source: 2e.dll | ReversingLabs: Detection: 82% |
Source: 2e.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, | 0_2_00FA229C |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2e.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.dat | Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMP | Jump to behavior |
Source: classification engine | Classification label: mal100.troj.winDLL@11/19@2/1 |
Source: C:\Program Files\internet explorer\iexplore.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10002193 push ecx; ret | 0_2_100021A3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10002140 push ecx; ret | 0_2_10002149 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAE6BE push esp; retf | 0_2_00FAE6BF |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAAC00 push ecx; ret | 0_2_00FAAC09 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAE1AF push ebx; ret | 0_2_00FAE1B2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAE163 push edx; iretd | 0_2_00FAE164 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FAAF33 push ecx; ret | 0_2_00FAAF43 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D5BAD0 push edx; ret | 0_2_00D5BBD4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D53C54 push eax; iretd | 0_2_00D53C4B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D53C32 push eax; iretd | 0_2_00D53C4B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D5197F push ds; retf | 0_2_00D5198D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D516B6 push ecx; ret | 0_2_00D516B7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D552B6 push esp; iretd | 0_2_00D552D5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D55EB0 push 0E0634C7h; retf | 0_2_00D55EB5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D53205 push cs; retf | 0_2_00D53206 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D53FFB pushad ; iretd | 0_2_00D5400E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00D533A6 push ds; ret | 0_2_00D533BB |
Source: 2e.dll | Static PE information: section name: .data2 |
Source: Yara match | File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, | 0_2_00FA7DD8 |
Source: C:\Windows\System32\loaddll32.exe | Memory protected: page execute read | page guard | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 | Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, | 0_2_10001B13 |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA8B98 cpuid | 0_2_00FA8B98 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, | 0_2_1000166F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, | 0_2_10001000 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_00FA8B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, | 0_2_00FA8B98 |
Source: Yara match | File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.