Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp |
ReversingLabs: Detection: 50% |
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp |
Virustotal: Detection: 64% |
Perma Link |
Source: 0.2.LwNdQo4zIk.exe.400000.0.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen2 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004A7759 CryptAcquireContextA, |
0_2_004A7759 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AB9D1 CryptDeriveKey, |
0_2_004AB9D1 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B01AF CryptExportKey, |
0_2_004B01AF |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B035E CryptDestroyKey, |
0_2_004B035E |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B056E CryptReleaseContext, |
0_2_004B056E |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004BA67F CryptAcquireContextA,CryptAcquireContextA, |
0_2_004BA67F |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AF6E3 CryptExportKey, |
0_2_004AF6E3 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004BA75C CryptEncrypt,CryptEncrypt, |
0_2_004BA75C |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004BA7D8 CryptDestroyKey,CryptDestroyKey, |
0_2_004BA7D8 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004BA80E CryptReleaseContext,CryptReleaseContext, |
0_2_004BA80E |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004BA9DE CryptBinaryToStringA,CryptBinaryToStringA, |
0_2_004BA9DE |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004C2A13 CryptBinaryToStringA, |
0_2_004C2A13 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AFA91 CryptExportKey,CryptExportKey, |
0_2_004AFA91 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004A5B70 CryptBinaryToStringA, |
0_2_004A5B70 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AEB1B CryptGenKey, |
0_2_004AEB1B |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004A8D87 CryptBinaryToStringA,GetTempPathW, |
0_2_004A8D87 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D51140C CryptDeriveKey, |
1_2_6D51140C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D507CD1 CryptReleaseContext, |
1_2_6D507CD1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D500CD9 CryptDestroyKey, |
1_2_6D500CD9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4F9484 CryptHashData, |
1_2_6D4F9484 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D500486 CryptHashData, |
1_2_6D500486 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D50AF62 CryptHashData, |
1_2_6D50AF62 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4F3F01 CryptHashData, |
1_2_6D4F3F01 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4E8F2B CryptDeriveKey, |
1_2_6D4E8F2B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4F279D HttpSendRequestW,CryptReleaseContext, |
1_2_6D4F279D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4E46B5 CryptEncrypt, |
1_2_6D4E46B5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4FE812 CryptEncrypt, |
1_2_6D4FE812 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D509035 CryptReleaseContext, |
1_2_6D509035 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4EC080 CryptHashData, |
1_2_6D4EC080 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4F1A58 CryptEncrypt, |
1_2_6D4F1A58 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D536A70 CryptEncrypt, |
1_2_6D536A70 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4ECA64 CryptEncrypt, |
1_2_6D4ECA64 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D507ADA CryptDeriveKey, |
1_2_6D507ADA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4EEAE5 CryptGetHashParam, |
1_2_6D4EEAE5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D500283 CryptReleaseContext,GetProcAddress,GetProcAddress, |
1_2_6D500283 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack |
Source: LwNdQo4zIk.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: |
Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B7085 InternetReadFile, |
0_2_004B7085 |
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: LwNdQo4zIk.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004FA0B0 |
0_2_004FA0B0 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B4115 |
0_2_004B4115 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AB2C2 |
0_2_004AB2C2 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004C13A5 |
0_2_004C13A5 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004DE3A7 |
0_2_004DE3A7 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004A067F |
0_2_004A067F |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004DD9E8 |
0_2_004DD9E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D51213A |
1_2_6D51213A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D4ECA64 |
1_2_6D4ECA64 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_6D52822C |
1_2_6D52822C |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp 20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8 |
Source: LwNdQo4zIk.exe |
Static PE information: Section: .data ZLIB complexity 0.9918356461560528 |
Source: LwNdQo4zIk.exe |
Virustotal: Detection: 49% |
Source: LwNdQo4zIk.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B1333 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot, |
0_2_004B1333 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Source: unknown |
Process created: C:\Users\user\Desktop\LwNdQo4zIk.exe C:\Users\user\Desktop\LwNdQo4zIk.exe |
|
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960 |
|
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1568 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
File created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal84.evad.winEXE@4/5@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: LwNdQo4zIk.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: |
Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R; |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004F7054 push 004E123Eh; ret |
0_2_004F71C1 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004F0321 push 004ED2FBh; ret |
0_2_004F0472 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004D6483 push 0046B803h; ret |
0_2_004D6561 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004D85D5 push 004C899Fh; ret |
0_2_004D867A |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004EB75E push 004D3CB3h; ret |
0_2_004EB891 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004A7759 push dword ptr [004FCE43h]; ret |
0_2_004A7A9F |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004EA92F push 004DAC2Fh; ret |
0_2_004EAA73 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004F59CA push 004B1D5Fh; ret |
0_2_004F5B00 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AB9D1 push 0046C15Ah; ret |
0_2_004ABA8F |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0046FE63 push 00469E02h; ret |
0_2_0046FFC0 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004C8FA2 push 004ADFCDh; ret |
0_2_004C907D |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004C8FA2 push 004B29F4h; ret |
0_2_004C947A |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_00491044 push 0046B803h; ret |
0_2_00491087 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004F3042 push 004BACA2h; ret |
0_2_004F30B2 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0047E048 push 004F3C92h; ret |
0_2_0047E101 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004A5057 push 004A4A45h; ret |
0_2_004A5090 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004AC057 push 004A024Ch; ret |
0_2_004AC0BA |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_00494069 push 0046CDFCh; ret |
0_2_004941DE |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0049B068 push 0046CDFCh; ret |
0_2_0049B298 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0046D063 push 0046AD57h; ret |
0_2_0046D29E |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0049806C push dword ptr [004FC7DBh]; ret |
0_2_00498104 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004C5069 push 004ADFCDh; ret |
0_2_004C50AC |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0046F07F push dword ptr [004FD207h]; ret |
0_2_0046F14E |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_0047B07B push 00469E02h; ret |
0_2_0047B1AC |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004D300B push dword ptr [004FD567h]; ret |
0_2_004D3029 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_00480001 push dword ptr [004FC7DBh]; ret |
0_2_00480022 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004CD000 push 004A0557h; ret |
0_2_004CD295 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B8005 push 004AC2A1h; ret |
0_2_004B8038 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_00474016 push 0046C15Ah; ret |
0_2_004740C1 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004B701A push 004F3C92h; ret |
0_2_004B7084 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004D1013 push 004B06B3h; ret |
0_2_004D110A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
API coverage: 6.5 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 3.5 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmp |
Binary or memory string: NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanW |
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr |
Binary or memory string: #NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanWindowMicrosoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllSystem.Collections.dllInkSeg.dll0123456789abcdefCNB_0336.DLLMicrosoft.Windows.Diagnosis.Commands.WriteDiagProgress.dllmsscp.dllOSProvider.dllapi-ms-win-core-localization-l1-1-0.dllmscorier.dll0123456789abcdef |
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmp |
Binary or memory string: SetProgmanW |
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr |
Binary or memory string: SetProgmanWindow |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe |
Code function: 0_2_004ADA35 GetLocalTime, |
0_2_004ADA35 |