Source: msimg32.dll |
ReversingLabs: Detection: 18% |
Source: msimg32.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: msimg32.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: E:\building\360project\360sd\branches\beta\Build\x86\WhiteCache.pdb source: loaddll32.exe, 00000000.00000002.1858994541.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.000000001013D000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll |
String found in binary or memory: http://www.openssl.org/support/faq.html |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll |
String found in binary or memory: http://www.openssl.org/support/faq.html.................... |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10001804 |
0_2_10001804 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000521E |
0_2_1000521E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100054A0 |
0_2_100054A0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10008EA3 |
0_2_10008EA3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100054AB |
0_2_100054AB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004AF0 |
0_2_10004AF0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004AFE |
0_2_10004AFE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004B0E |
0_2_10004B0E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004B31 |
0_2_10004B31 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004F43 |
0_2_10004F43 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10001784 |
0_2_10001784 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004B8D |
0_2_10004B8D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004B98 |
0_2_10004B98 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100017BB |
0_2_100017BB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10001804 |
3_2_10001804 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000521E |
3_2_1000521E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100054A0 |
3_2_100054A0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10008EA3 |
3_2_10008EA3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100054AB |
3_2_100054AB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004AF0 |
3_2_10004AF0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004AFE |
3_2_10004AFE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004B0E |
3_2_10004B0E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004B31 |
3_2_10004B31 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004F43 |
3_2_10004F43 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10001784 |
3_2_10001784 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004B8D |
3_2_10004B8D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10004B98 |
3_2_10004B98 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100017BB |
3_2_100017BB |
Source: msimg32.dll |
Binary or memory string: OriginalFilenameWhiteCache.DLL, vs msimg32.dll |
Source: msimg32.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: classification engine |
Classification label: mal48.winDLL@8/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03 |
Source: msimg32.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: SELECT filepath FROM BlackCache ORDER BY atime DESC LIMIT 2000%04d-%02d-%02d %02d:%02d:%02dSELECT filepath, mtime, size, atime FROM WhiteCache ORDER BY atime DESC LIMIT 2000COMMITDELETE FROM WhiteCache WHERE atime < datetime('now', '-%d hour', 'localtime')CREATE TABLE IF NOT EXISTS BlackCache (filepath varchar(300) UNIQUE,atime char(255));CREATE TABLE IF NOT EXISTS WhiteCache (filepath varchar(300) UNIQUE,mtime char(255),atime char(255),size INTEGER(8))BEGIN TRANSACTIONwhitecacheINSERT INTO BlackCache(filepath, atime) VALUES ('%q', datetime('now', 'localtime'))DELETE FROM BlackCache WHERE filepath = '%q'DELETE FROM WhiteCacheDELETE FROM WhiteCache WHERE filepath = '%q' UPDATE WhiteCache SET atime = datetime('now', 'localtime') WHERE filepath = '%q'INSERT INTO WhiteCache(filepath, size, mtime, atime) VALUES ('%q', %lld, '%4d-%02d-%02d %2d:%02d:%02d', datetime('now', 'localtime'))list<T> too long |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0BEGIN EXCLUSIVE;PRAGMA vacuum_db.synchronous=OFFATTACH '' AS vacuum_db;cannot VACUUM from within a transactionwin32 |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: CREATE TABLE IF NOT EXISTS BlackCache (filepath varchar(300) UNIQUE,atime char(255)); |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0 |
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' |
Source: msimg32.dll |
ReversingLabs: Detection: 18% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\msimg32.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: msimg32.dll |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: msimg32.dll |
Static file information: File size 2338816 > 1048576 |
Source: msimg32.dll |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117400 |
Source: msimg32.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: msimg32.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: E:\building\360project\360sd\branches\beta\Build\x86\WhiteCache.pdb source: loaddll32.exe, 00000000.00000002.1858994541.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.000000001013D000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll |
Source: msimg32.dll |
Static PE information: real checksum: 0x175e45 should be: 0x23e37f |
Source: msimg32.dll |
Static PE information: section name: .didat |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100AE25B push ecx; ret |
0_2_100AE26E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10007B8B push 8DCB8153h; retf 0000h |
0_2_10007B90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100AE25B push ecx; ret |
3_2_100AE26E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10007B8B push 8DCB8153h; retf 0000h |
3_2_10007B90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
API coverage: 9.1 % |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 9.1 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 |
Jump to behavior |