Source: pmfoxWgt1q.dll |
Metadefender: Detection: 34% |
Perma Link |
Source: pmfoxWgt1q.dll |
ReversingLabs: Detection: 72% |
Source: pmfoxWgt1q.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A78D1C FindFirstFileExW, |
0_2_00007FFC73A78D1C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A78D1C FindFirstFileExW, |
2_2_00007FFC73A78D1C |
Source: Yara match |
File source: pmfoxWgt1q.dll, type: SAMPLE |
Source: Yara match |
File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: C:\Windows\System32\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A77C5C |
0_2_00007FFC73A77C5C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A6CBA9 |
0_2_00007FFC73A6CBA9 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A75BD4 |
0_2_00007FFC73A75BD4 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A6C1FC |
0_2_00007FFC73A6C1FC |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A77198 |
0_2_00007FFC73A77198 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A7B9CC |
0_2_00007FFC73A7B9CC |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A70124 |
0_2_00007FFC73A70124 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A7A728 |
0_2_00007FFC73A7A728 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A71DB0 |
0_2_00007FFC73A71DB0 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A78D1C |
0_2_00007FFC73A78D1C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A6BD28 |
0_2_00007FFC73A6BD28 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A77C5C |
2_2_00007FFC73A77C5C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A6CBA9 |
2_2_00007FFC73A6CBA9 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A75BD4 |
2_2_00007FFC73A75BD4 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A6C1FC |
2_2_00007FFC73A6C1FC |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A77198 |
2_2_00007FFC73A77198 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A7B9CC |
2_2_00007FFC73A7B9CC |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A70124 |
2_2_00007FFC73A70124 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A7A728 |
2_2_00007FFC73A7A728 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A71DB0 |
2_2_00007FFC73A71DB0 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A78D1C |
2_2_00007FFC73A78D1C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A6BD28 |
2_2_00007FFC73A6BD28 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: String function: 00007FFC73A60620 appears 2834 times |
|
Source: C:\Windows\System32\regsvr32.exe |
Code function: String function: 00007FFC73A60620 appears 2834 times |
|
Source: pmfoxWgt1q.dll |
Metadefender: Detection: 34% |
Source: pmfoxWgt1q.dll |
ReversingLabs: Detection: 72% |
Source: pmfoxWgt1q.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Jump to behavior |
Source: classification engine |
Classification label: mal64.troj.winDLL@13/0@0/0 |
Source: pmfoxWgt1q.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: pmfoxWgt1q.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: pmfoxWgt1q.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: pmfoxWgt1q.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: pmfoxWgt1q.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: pmfoxWgt1q.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: pmfoxWgt1q.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: pmfoxWgt1q.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A6DB15 push 830F0001h; retn 0000h |
0_2_00007FFC73A6DB1A |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A6DB15 push 830F0001h; retn 0000h |
2_2_00007FFC73A6DB1A |
Source: pmfoxWgt1q.dll |
Static PE information: section name: _RDATA |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A78D1C FindFirstFileExW, |
0_2_00007FFC73A78D1C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A78D1C FindFirstFileExW, |
2_2_00007FFC73A78D1C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FFC73A69F4C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A7A0AC GetProcessHeap, |
0_2_00007FFC73A7A0AC |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FFC73A64140 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FFC73A69F4C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FFC73A64500 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00007FFC73A64140 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00007FFC73A69F4C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: 2_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00007FFC73A64500 |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00007FFC73A7C424 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: GetLocaleInfoW, |
0_2_00007FFC73A733A0 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: EnumSystemLocalesW, |
0_2_00007FFC73A7C38C |
Source: C:\Windows\System32\loaddll64.exe |
Code function: EnumSystemLocalesW, |
0_2_00007FFC73A7C2BC |
Source: C:\Windows\System32\loaddll64.exe |
Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00007FFC73A7C9A4 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: EnumSystemLocalesW, |
0_2_00007FFC73A73008 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: GetLocaleInfoW, |
0_2_00007FFC73A7C878 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00007FFC73A7C7C8 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, |
0_2_00007FFC73A7BF70 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: GetLocaleInfoW, |
0_2_00007FFC73A7C670 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00007FFC73A7C424 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: GetLocaleInfoW, |
2_2_00007FFC73A733A0 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: EnumSystemLocalesW, |
2_2_00007FFC73A7C38C |
Source: C:\Windows\System32\regsvr32.exe |
Code function: EnumSystemLocalesW, |
2_2_00007FFC73A7C2BC |
Source: C:\Windows\System32\regsvr32.exe |
Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00007FFC73A7C9A4 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: EnumSystemLocalesW, |
2_2_00007FFC73A73008 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: GetLocaleInfoW, |
2_2_00007FFC73A7C878 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_00007FFC73A7C7C8 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, |
2_2_00007FFC73A7BF70 |
Source: C:\Windows\System32\regsvr32.exe |
Code function: GetLocaleInfoW, |
2_2_00007FFC73A7C670 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A78300 cpuid |
0_2_00007FFC73A78300 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFC73A64404 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FFC73A64404 |
Source: Yara match |
File source: pmfoxWgt1q.dll, type: SAMPLE |
Source: Yara match |
File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |