{"RSA Public Key": "YO6EupUXQQEIZWr1HZwHqwbuf45UKlaaNAB4ZLiKsu7B39r6dBjtPHb2dqe22JgQrIOaO/7CSCpZ9VuPYSl5H6wuGZ1xyRSe7C3c6RxGbqnFBTgAkKFju2eS+hGTIKJvxmLB1vRcOADEbzlrK+7ALUr55Rs0VTXRrvCyjb4vTim8iSk+dIgIyxzBoPD6SBA5ACtVvAO15Nqcsl+9e+CRdtm0+oPrkvDGL2Dav9cErXo5SzqquGstuCbvnyTSPGNMjbKlPBN7/S4LoVfjxTeSJhWPjf1raeOb8pc9CSsiDTedsvpOOgXVq2c/tQr253W0mKWN0cwiXlVSxmTL1XYeHxONoXKrjIaIwjuFk+VK+lg=", "c2_domain": ["fx.rhinobuff.com", "fio.linosheart.com"], "botnet": "2500", "server": "580", "serpent_key": "GgxKJL0zm4HBTHpK", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Source: 0.2.loaddll32.exe.2c80000.0.unpack | Malware Configuration Extractor: Ursnif {"RSA Public Key": "YO6EupUXQQEIZWr1HZwHqwbuf45UKlaaNAB4ZLiKsu7B39r6dBjtPHb2dqe22JgQrIOaO/7CSCpZ9VuPYSl5H6wuGZ1xyRSe7C3c6RxGbqnFBTgAkKFju2eS+hGTIKJvxmLB1vRcOADEbzlrK+7ALUr55Rs0VTXRrvCyjb4vTim8iSk+dIgIyxzBoPD6SBA5ACtVvAO15Nqcsl+9e+CRdtm0+oPrkvDGL2Dav9cErXo5SzqquGstuCbvnyTSPGNMjbKlPBN7/S4LoVfjxTeSJhWPjf1raeOb8pc9CSsiDTedsvpOOgXVq2c/tQr253W0mKWN0cwiXlVSxmTL1XYeHxONoXKrjIaIwjuFk+VK+lg=", "c2_domain": ["fx.rhinobuff.com", "fio.linosheart.com"], "botnet": "2500", "server": "580", "serpent_key": "GgxKJL0zm4HBTHpK", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"} |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C83FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02683FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
Source: 61766fc85163a.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 61766fc85163a.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: c:\939\Charge\Sense\Young\Self.pdb source: loaddll32.exe, 00000000.00000002.826085612.000000006EA6C000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.827483917.000000006EA6C000.00000002.00020000.sdmp, 61766fc85163a.dll |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: fio.linosheart.com |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: fx.rhinobuff.com |
Source: unknown | DNS traffic detected: query: fx.rhinobuff.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: fio.linosheart.com replaycode: Name error (3) |
Source: loaddll32.exe, 00000000.00000003.803353466.00000000013F5000.00000004.00000001.sdmp | String found in binary or memory: http://fx.rhinobuff.com/_2B_2FM0h60XP/tUM8FmL2/KIja2Ms5a3v6Lq_2Fudl59W/vfBorXE8AA/UUluHYFitiWcdJQtC/ |
Source: loaddll32.exe, 00000000.00000003.631196087.00000000013F5000.00000004.00000001.sdmp | String found in binary or memory: http://fx.rhinobuff.com/x0ylueFuXgrpB3WJj/TF7mv4QreQVW/NyZwfSNmEuc/QVDm3PVK85XSch/TwihngzLYMfTath4pJ |
Source: unknown | DNS traffic detected: queries for: fx.rhinobuff.com |
Source: Yara match | File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C83FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02683FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fx.rhinobuff.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fio.linosheart.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fx.rhinobuff.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fio.linosheart.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fx.rhinobuff.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fio.linosheart.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fx.rhinobuff.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fio.linosheart.com |
Source: C:\Windows\SysWOW64\rundll32.exe | DNS query: name: fx.rhinobuff.com |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: 61766fc85163a.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F2274 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C82654 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C87E30 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C84FA7 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA41EE0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA48E07 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA56E61 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA34DC0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA31D72 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA4E8BB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02682654 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02687E30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02684FA7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA41EE0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA56E61 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA34DC0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA31D72 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA4E8BB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_05284FA7 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_05287E30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_05282654 |
Source: C:\Windows\System32\loaddll32.exe | Code function: String function: 6EA31211 appears 86 times |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: String function: 6EA31211 appears 86 times |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F121F NtMapViewOfSection, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F2013 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F2495 NtQueryVirtualMemory, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C822EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C88055 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_026822EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02688055 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_052822EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_05288055 NtQueryVirtualMemory, |
Source: 61766fc85163a.dll | Binary or memory string: OriginalFilenameSelf.dllD vs 61766fc85163a.dll |
Source: 61766fc85163a.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Cow |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Fishdark |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Multiplyboat |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Cow |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Fishdark |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Multiplyboat |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Source: classification engine | Classification label: mal84.troj.evad.winDLL@11/0@19/1 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C811B8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Cow |
Source: 61766fc85163a.dll | Joe Sandbox Cloud Basic: Detection: clean Score: 0 | Perma Link |
Source: loaddll32.exe | String found in binary or memory: tHomePremium~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Package.ClientHomePremium-Update"/> <Stage pac |
Source: loaddll32.exe | String found in binary or memory: 6~~6.1.7601.17514" update="CoreClientHomePremium"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31b |
Source: loaddll32.exe | String found in binary or memory: osoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientBusiness"/> <Stage |
Source: loaddll32.exe | String found in binary or memory: <Stage package="Server-Help-Package.ClientProfessional~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Pac |
Source: loaddll32.exe | String found in binary or memory: 601.17514" update="BHPC Namespace"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31bf3856ad364e35~x |
Source: loaddll32.exe | String found in binary or memory: 3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionHomePremium"/> <Stage package="Server-Help-Package.Clie |
Source: loaddll32.exe | String found in binary or memory: ackage="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionBusiness"/ |
Source: rundll32.exe | String found in binary or memory: tHomePremium~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Package.ClientHomePremium-Update"/> <Stage pac |
Source: rundll32.exe | String found in binary or memory: 6~~6.1.7601.17514" update="CoreClientHomePremium"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31b |
Source: rundll32.exe | String found in binary or memory: osoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientBusiness"/> <Stage |
Source: rundll32.exe | String found in binary or memory: <Stage package="Server-Help-Package.ClientProfessional~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Pac |
Source: rundll32.exe | String found in binary or memory: 601.17514" update="BHPC Namespace"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31bf3856ad364e35~x |
Source: rundll32.exe | String found in binary or memory: 3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionHomePremium"/> <Stage package="Server-Help-Package.Clie |
Source: rundll32.exe | String found in binary or memory: ackage="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionBusiness"/ |
Source: C:\Windows\System32\loaddll32.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 61766fc85163a.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 61766fc85163a.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: c:\939\Charge\Sense\Young\Self.pdb source: loaddll32.exe, 00000000.00000002.826085612.000000006EA6C000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.827483917.000000006EA6C000.00000002.00020000.sdmp, 61766fc85163a.dll |
Source: 61766fc85163a.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 61766fc85163a.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 61766fc85163a.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 61766fc85163a.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 61766fc85163a.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F2210 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F2263 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C87AB0 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C87E1F push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA317F6 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA311DA push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02687E1F push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_02687AB0 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA317F6 push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA311DA push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_05287E1F push ecx; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_05287AB0 push ecx; ret |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F1552 LoadLibraryA,GetProcAddress, |
Source: Yara match | File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA3C7F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F1552 LoadLibraryA,GetProcAddress, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA50329 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA950A2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA94F72 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA94C7D push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA50329 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA950A2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA94C7D push dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA94F72 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA3C7F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA3180B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA3C7F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_6EA3180B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: fio.linosheart.com |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: fx.rhinobuff.com |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 |
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Windows\System32\loaddll32.exe | Code function: ___crtGetLocaleInfoEx, |
Source: C:\Windows\System32\loaddll32.exe | Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: ___crtGetLocaleInfoEx, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C82E33 cpuid |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EA5B6BE _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6E9F1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02C82E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
Source: Yara match | File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.