Click to jump to signature section
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | ReversingLabs: Detection: 21% |
Source: https://higmon.cyou/index.html7b9a | Avira URL Cloud: Label: malware |
Source: https://higmon.cyou/index.html | Avira URL Cloud: Label: malware |
Source: https://higmon.cyou | Avira URL Cloud: Label: malware |
Source: https://higmon.cyou/ | Avira URL Cloud: Label: malware |
Source: https://prises.cyou | Avira URL Cloud: Label: malware |
Source: 4.2.rundll32.exe.1c7146f2900.1.raw.unpack | Malware Configuration Extractor: Ursnif {"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"} |
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\rundll32.exe | Network Connect: 45.8.147.179 443 |
Source: C:\Windows\System32\rundll32.exe | Domain query: higmon.cyou |
Source: Traffic | Snort IDS: 2039637 ET TROJAN Observed DNS Query to Ursnif Domain (higmon .cyou) 192.168.2.7:60326 -> 8.8.8.8:53 |
Source: Joe Sandbox View | ASN Name: VMAGE-ASRU VMAGE-ASRU |
Source: unknown | Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: loaddll64.exe, 00000000.00000002.265165048.000001FF43730000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246608034.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765253557.000001C716530000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247434802.000001817DA60000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://higmon.cyou |
Source: rundll32.exe, 00000004.00000002.764882863.000001C71471F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764961178.000001C714740000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://higmon.cyou/ |
Source: rundll32.exe, 00000004.00000002.764961178.000001C714740000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764723934.000001C7146DB000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://higmon.cyou/index.html |
Source: rundll32.exe, 00000004.00000002.764723934.000001C7146DB000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://higmon.cyou/index.html7b9a |
Source: rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://higmon.cyouhttps://prises.cyouR |
Source: loaddll64.exe, 00000000.00000002.265171862.000001FF43732000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246612763.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765260621.000001C716532000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247438709.000001817DA62000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://http://Mozilla/5.0 |
Source: rundll32.exe, rundll32.exe, 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmp, c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | String found in binary or memory: https://my.tealiumiq.com/urest/legacy/tagcompanion/getProfile?utid= |
Source: loaddll64.exe, 00000000.00000002.265165048.000001FF43730000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246608034.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765253557.000001C716530000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247434802.000001817DA60000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://prises.cyou |
Source: unknown | DNS traffic detected: queries for: higmon.cyou |
Source: Yara match | File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR |
Source: C:\Windows\System32\regsvr32.exe | Section loaded: sfc.dll |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_000000018000508C |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180004A14 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180003A24 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180001844 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180009C54 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180006344 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180005748 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180002B60 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180008D78 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00000001800027D4 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_000000018000508C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180004A14 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180003A24 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180001844 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180009C54 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180006344 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180005748 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180002B60 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180008D78 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_00000001800027D4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180004A14 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180001844 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_000000018000508C |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180006344 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_00000001800027D4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180003A24 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180009C54 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180005748 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180002B60 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180008D78 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_000000018000508C |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180004A14 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180003A24 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180001844 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180009C54 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180006344 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180005748 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180002B60 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180008D78 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_00000001800027D4 |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError, |
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | ReversingLabs: Detection: 21% |
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll" |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe cmd /c "echo Commands" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe cmd /c "dir" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe cmd /c "echo Commands" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\System32\cmd.exe cmd /c "dir" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3828:120:WilError_01 |
Source: C:\Windows\System32\rundll32.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\ManagerMui |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_01 |
Source: rundll32.exe | String found in binary or memory: ine .input-group .form-control,.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline |
Source: rundll32.exe | String found in binary or memory: ,.input-group .form-control:first-child{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group-addon:last-child,.input-group-btn:first-child>.btn-group:not(:first-child)>.btn,.input-group-btn:first-chi |
Source: rundll32.exe | String found in binary or memory: 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedba |
Source: rundll32.exe | String found in binary or memory: y:inline-block!important}}@media print{.hidden-print{display:none!important}}.ui-helper-hidden{display:none}.ui-helper-hidden-accessible{border:0;clip:rect(0 0 0 0);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolute;width:1px}.ui-helper-reset{m |
Source: rundll32.exe | String found in binary or memory: ble;vertical-align:middle}.navbar-form .input-group .form-control,.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0; |
Source: rundll32.exe | String found in binary or memory: rgin:0;padding:0;border:0;outline:0;line-height:1.3;text-decoration:none;font-size:100%;list-style:none}.ui-helper-clearfix:after,.ui-helper-clearfix:before{content:"";display:table}.ui-helper-clearfix:after{clear:both}.ui-helper-clearfix{zoom:1}.ui-helper-zfi |
Source: rundll32.exe | String found in binary or memory: don,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-gr |
Source: rundll32.exe | String found in binary or memory: images/loader.gif);background-position:50% 50%;background-repeat:no-repeat;background-size:28px auto}.wrapper{position:relative;overflow:hidden;width:100%;height:100%;min-width:320px}.content{margin:0 auto;background-color:#fff}@media only screen and (max-widt |
Source: rundll32.exe | String found in binary or memory: ing:3px}.ui-terminal-input{border:0 none;background-color:transparent;color:inherit;padding:0;margin:0 0 0 2px;width:75%;outline:0;vertical-align:baseline}.ui-terminal-command{margin-left:2px;-moz-margin-start:3px}.ui-terminal-input::-ms-clear{display:none}.ui |
Source: rundll32.exe | String found in binary or memory: l,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn,textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group-a |
Source: rundll32.exe | String found in binary or memory: cess .form-control{border-color:#3c763d;box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color |
Source: rundll32.exe | String found in binary or memory: :inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .checkbox,.has-error .checkbox-inline,.has-error.checkbox |
Source: rundll32.exe | String found in binary or memory: addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=checkbox],.input-group-addon input[type=radio]{margin-top:0}.input-group-addon:first-c |
Source: rundll32.exe | String found in binary or memory: datatable .ui-column-resizer{display:block;position:absolute!important;top:0;right:0;margin:0;width:8px;height:100%;padding:0;cursor:col-resize;border:1px solid transparent}.ui-datatable .ui-column-resizer-helper{width:1px;position:absolute;z-index:10;display: |
Source: rundll32.exe | String found in binary or memory: up-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group |
Source: rundll32.exe | String found in binary or memory: rol,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group- |
Source: rundll32.exe | String found in binary or memory: -vertical .slick-slide{display:block;height:auto;border:1px solid transparent}.slick-arrow.slick-hidden{display:none}.slick-loading .slick-list{background:#fff url(../static/uploads/assets/images/loader.gif) 50% no-repeat}@font-face{font-family:slick;src:url(. |
Source: rundll32.exe | String found in binary or memory: nput-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-group-lg>.form-con |
Source: rundll32.exe | String found in binary or memory: dius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{font-size:0;white-space:nowrap}.input-group-btn,.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:active,.input-group-btn>.btn:focus,.in |
Source: rundll32.exe | String found in binary or memory: yphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphico |
Source: rundll32.exe | String found in binary or memory: ute;top:50%;cursor:pointer}.ui-lightbox-nav-left{left:0}.ui-lightbox-nav-right{right:0}.ui-lightbox-loading{background:url(images/loading.gif) #000 50% no-repeat}.ui-lightbox-caption{padding:.2em .4em;display:none}.ui-lightbox-caption-text{margin:.3em 0 .1em;f |
Source: rundll32.exe | String found in binary or memory: ;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}select[multiple].input-group-sm>.form-contr |
Source: rundll32.exe | String found in binary or memory: ay:block;width:100%}.loading{position:fixed;top:0;left:0;right:0;bottom:0;background-color:#fff;background-image:url(/static/uploads/assets/images/loader.gif);background-position:50% 50%;background-repeat:no-repeat;opacity:0;visibility:hidden;z-index:100}.load |
Source: rundll32.exe | String found in binary or memory: tn>.btn,textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30p |
Source: classification engine | Classification label: mal80.troj.evad.winDLL@20/1@1/1 |
Source: C:\Windows\System32\rundll32.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | Static PE information: Image base 0x180000000 > 0x60000000 |
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00000001800112EE push rax; ret |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_000000018001112F push rcx; iretd |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_00000001800112EE push rax; ret |
Source: C:\Windows\System32\regsvr32.exe | Code function: 3_2_000000018001112F push rcx; iretd |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_00007FFE354849F8 push rbx; retf |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_00000001800112EE push rax; ret |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_000000018001112F push rcx; iretd |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_00000001800112EE push rax; ret |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_000000018001112F push rcx; iretd |
Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll | Static PE information: section name: .sedt |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll |
Source: Yara match | File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll64.exe TID: 2084 | Thread sleep time: -120000s >= -30000s |
Source: C:\Windows\System32\rundll32.exe | Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Windows\System32\loaddll64.exe | Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Windows\System32\regsvr32.exe | Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll64.exe | API coverage: 7.5 % |
Source: C:\Windows\System32\regsvr32.exe | API coverage: 7.5 % |
Source: C:\Windows\System32\rundll32.exe | API coverage: 7.5 % |
Source: C:\Windows\System32\loaddll64.exe | Thread delayed: delay time: 120000 |
Source: C:\Windows\System32\cmd.exe | File Volume queried: C:\Users\user\Desktop FullSizeInformation |
Source: rundll32.exe, 00000004.00000002.765012505.000001C71475D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764834560.000001C71470B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\rundll32.exe | Network Connect: 45.8.147.179 443 |
Source: C:\Windows\System32\rundll32.exe | Domain query: higmon.cyou |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Windows\System32\loaddll64.exe | Code function: 0_2_00000001800045E8 GetSystemTimeAsFileTime,LeaveCriticalSection, |
Source: Yara match | File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR |