Source: Yara match |
File source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: loaddll64.exe, 00000000.00000002.306399602.00000239D2CF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279011932.000001D397AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.279346138.000001EDE5CF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ilekvoyn.com/ |
Source: rundll32.exe, 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ilekvoyn.com/4 |
Source: rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ilekvoyn.com/Y |
Source: rundll32.exe, 00000004.00000002.279383760.000001EDE5D16000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ilekvoyn.com/u5 |
Source: regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ilekvoyn.com:80/ |
Source: loaddll64.exe, 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://shapka-youtube.ru/ |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects IceID / Bokbot variants Author: ditekSHen |
Source: 4.2.rundll32.exe.1ede3f59841.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 4.2.rundll32.exe.1ede3fcb648.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 0.2.loaddll64.exe.239d139d591.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 3.2.rundll32.exe.1d395c5b848.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 2.2.regsvr32.exe.b99811.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 2.2.regsvr32.exe.c091b8.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 3.2.rundll32.exe.1d395be9aa1.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 0.2.loaddll64.exe.239d1412178.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240 |
Source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC65B1542B NtMapViewOfSection,NtCreateSection, |
0_2_00007FFC65B1542B |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,HeapFree, |
0_2_000000018000108C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC66B0542B NtMapViewOfSection,NtCreateSection, |
2_2_00007FFC66B0542B |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
2_2_000000018000108C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
3_2_000000018000108C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,HeapFree, |
4_2_000000018000108C |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\J5V5DR.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,HdQZgnE |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,IfkPmdu |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,HdQZgnE |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,IfkPmdu |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
RDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc |
Source: C:\Windows\System32\regsvr32.exe |
RDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc |
Source: C:\Windows\System32\rundll32.exe |
RDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc |
Source: C:\Windows\System32\rundll32.exe |
RDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc |
Source: C:\Windows\System32\loaddll64.exe |
RDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc |
Source: C:\Windows\System32\loaddll64.exe |
RDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc |
Source: C:\Windows\System32\loaddll64.exe |
Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
0_2_000000018000133C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
2_2_000000018000133C |
Source: C:\Windows\System32\rundll32.exe |
Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
3_2_000000018000133C |
Source: C:\Windows\System32\rundll32.exe |
Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
4_2_000000018000133C |
Source: rundll32.exe, 00000003.00000002.279011932.000001D397AA0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWPK |
Source: rundll32.exe, 00000004.00000002.279392364.000001EDE5D2A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW% |
Source: loaddll64.exe, 00000000.00000002.306438498.00000239D2D35000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.306399602.00000239D2CF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278392013.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279042528.000001D397AD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.279392364.000001EDE5D2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.279346138.000001EDE5CF0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: loaddll64.exe, 00000000.00000002.306426714.00000239D2D1F000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWB4 |
Source: regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279042528.000001D397AD3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW@ |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE |