Click to jump to signature section
Source: pmfoxWgt1q.dll | Metadefender: Detection: 34% | Perma Link |
Source: pmfoxWgt1q.dll | ReversingLabs: Detection: 72% |
Source: pmfoxWgt1q.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A78D1C FindFirstFileExW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A78D1C FindFirstFileExW, |
Source: Yara match | File source: pmfoxWgt1q.dll, type: SAMPLE |
Source: Yara match | File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: C:\Windows\System32\regsvr32.exe | Section loaded: sfc.dll |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A77C5C |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A6CBA9 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A75BD4 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A6C1FC |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A77198 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A7B9CC |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A70124 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A7A728 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A71DB0 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A78D1C |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A6BD28 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A77C5C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A6CBA9 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A75BD4 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A6C1FC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A77198 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A7B9CC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A70124 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A7A728 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A71DB0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A78D1C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A6BD28 |
Source: C:\Windows\System32\loaddll64.exe | Code function: String function: 00007FFC73A60620 appears 2834 times |
Source: C:\Windows\System32\regsvr32.exe | Code function: String function: 00007FFC73A60620 appears 2834 times |
Source: pmfoxWgt1q.dll | Metadefender: Detection: 34% |
Source: pmfoxWgt1q.dll | ReversingLabs: Detection: 72% |
Source: pmfoxWgt1q.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll" |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: classification engine | Classification label: mal64.troj.winDLL@13/0@0/0 |
Source: pmfoxWgt1q.dll | Static PE information: Image base 0x180000000 > 0x60000000 |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: pmfoxWgt1q.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: pmfoxWgt1q.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: pmfoxWgt1q.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: pmfoxWgt1q.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: pmfoxWgt1q.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: pmfoxWgt1q.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: pmfoxWgt1q.dll | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A6DB15 push 830F0001h; retn 0000h |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A6DB15 push 830F0001h; retn 0000h |
Source: pmfoxWgt1q.dll | Static PE information: section name: _RDATA |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A78D1C FindFirstFileExW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A78D1C FindFirstFileExW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A7A0AC GetProcessHeap, |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\regsvr32.exe | Code function: 2_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Windows\System32\loaddll64.exe | Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: EnumSystemLocalesW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Windows\System32\regsvr32.exe | Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, |
Source: C:\Windows\System32\regsvr32.exe | Code function: GetLocaleInfoW, |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A78300 cpuid |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00007FFC73A64404 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
Source: Yara match | File source: pmfoxWgt1q.dll, type: SAMPLE |
Source: Yara match | File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |