Click to jump to signature section
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp | ReversingLabs: Detection: 50% |
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp | Virustotal: Detection: 64% | Perma Link |
Source: 0.2.LwNdQo4zIk.exe.400000.0.unpack | Avira: Label: TR/Crypt.ZPACK.Gen2 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A7759 CryptAcquireContextA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AB9D1 CryptDeriveKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B01AF CryptExportKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B035E CryptDestroyKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B056E CryptReleaseContext, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA67F CryptAcquireContextA,CryptAcquireContextA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AF6E3 CryptExportKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA75C CryptEncrypt,CryptEncrypt, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA7D8 CryptDestroyKey,CryptDestroyKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA80E CryptReleaseContext,CryptReleaseContext, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA9DE CryptBinaryToStringA,CryptBinaryToStringA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C2A13 CryptBinaryToStringA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AFA91 CryptExportKey,CryptExportKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A5B70 CryptBinaryToStringA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AEB1B CryptGenKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A8D87 CryptBinaryToStringA,GetTempPathW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D51140C CryptDeriveKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D507CD1 CryptReleaseContext, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D500CD9 CryptDestroyKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4F9484 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D500486 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D50AF62 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4F3F01 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4E8F2B CryptDeriveKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4F279D HttpSendRequestW,CryptReleaseContext, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4E46B5 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4FE812 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D509035 CryptReleaseContext, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4EC080 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4F1A58 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D536A70 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4ECA64 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D507ADA CryptDeriveKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4EEAE5 CryptGetHashParam, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D500283 CryptReleaseContext,GetProcAddress,GetProcAddress, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack |
Source: LwNdQo4zIk.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll |
Source: | Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: | Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B7085 InternetReadFile, |
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: LwNdQo4zIk.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004FA0B0 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B4115 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AB2C2 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C13A5 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004DE3A7 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A067F |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004DD9E8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D51213A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D4ECA64 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D52822C |
Source: LwNdQo4zIk.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B1333 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Source: unknown | Process created: C:\Users\user\Desktop\LwNdQo4zIk.exe C:\Users\user\Desktop\LwNdQo4zIk.exe |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Source: C:\Windows\SysWOW64\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1568 |
Source: classification engine | Classification label: mal84.evad.winEXE@4/5@0/1 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll |
Source: | Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: | Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R; |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F7054 push 004E123Eh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F0321 push 004ED2FBh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D6483 push 0046B803h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D85D5 push 004C899Fh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004EB75E push 004D3CB3h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A7759 push dword ptr [004FCE43h]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004EA92F push 004DAC2Fh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F59CA push 004B1D5Fh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AB9D1 push 0046C15Ah; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0046FE63 push 00469E02h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C8FA2 push 004ADFCDh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C8FA2 push 004B29F4h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00491044 push 0046B803h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F3042 push 004BACA2h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0047E048 push 004F3C92h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A5057 push 004A4A45h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AC057 push 004A024Ch; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00494069 push 0046CDFCh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0049B068 push 0046CDFCh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0046D063 push 0046AD57h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0049806C push dword ptr [004FC7DBh]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C5069 push 004ADFCDh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0046F07F push dword ptr [004FD207h]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0047B07B push 00469E02h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D300B push dword ptr [004FD567h]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00480001 push dword ptr [004FC7DBh]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004CD000 push 004A0557h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B8005 push 004AC2A1h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00474016 push 0046C15Ah; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B701A push 004F3C92h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D1013 push 004B06B3h; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | API coverage: 6.5 % |
Source: C:\Windows\SysWOW64\rundll32.exe | API coverage: 3.5 % |
Source: C:\Windows\SysWOW64\rundll32.exe | Thread delayed: delay time: 136000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmp | Binary or memory string: NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanW |
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr | Binary or memory string: #NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanWindowMicrosoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllSystem.Collections.dllInkSeg.dll0123456789abcdefCNB_0336.DLLMicrosoft.Windows.Diagnosis.Commands.WriteDiagProgress.dllmsscp.dllOSProvider.dllapi-ms-win-core-localization-l1-1-0.dllmscorier.dll0123456789abcdef |
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmp | Binary or memory string: SetProgmanW |
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr | Binary or memory string: SetProgmanWindow |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004ADA35 GetLocalTime, |