Analysis Report BsYHxeX7Ok.dll

Overview

General Information

Sample Name: BsYHxeX7Ok.dll
Analysis ID: 344139
MD5: 0125320a954399ad7b275b67b97a273f
SHA1: 37afd871f306977f49c56400183ef5a80d8748f1
SHA256: d8a15d14d7bdc4d2e1d948e20cf2835b452f46b2c0860ccd8147ee8d8a43adec
Tags: dllHeodo

Most interesting Screenshot:

Detection

Emotet
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to get notified if a device is plugged in / out
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: BsYHxeX7Ok.dll Virustotal: Detection: 14% Perma Link
Source: BsYHxeX7Ok.dll ReversingLabs: Detection: 57%
Machine Learning detection for sample
Source: BsYHxeX7Ok.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: BsYHxeX7Ok.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Binary contains paths to debug symbols
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp

Spreading:

barindex
Contains functionality to get notified if a device is plugged in / out
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00738000 RegisterDeviceNotificationA,GetProcessDpiAwarenessInternal, 1_2_00738000
Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoftmT
Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoftmT9

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to shutdown / reboot the system
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007385AC EnumDisplayMonitors,ExitWindowsEx,GetSystemMetrics,GetSystemMetrics, 1_2_007385AC
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071DBB2 1_2_0071DBB2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072D87D 1_2_0072D87D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00711662 1_2_00711662
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00711664 1_2_00711664
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072505A 1_2_0072505A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071BA46 1_2_0071BA46
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071F249 1_2_0071F249
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00728C4D 1_2_00728C4D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072DA27 1_2_0072DA27
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00728A24 1_2_00728A24
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071422B 1_2_0071422B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071A82A 1_2_0071A82A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071B22A 1_2_0071B22A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072A02C 1_2_0072A02C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072A82C 1_2_0072A82C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071E42E 1_2_0071E42E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00712814 1_2_00712814
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072821E 1_2_0072821E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00724602 1_2_00724602
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071E8F6 1_2_0071E8F6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00711EF9 1_2_00711EF9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00716AFC 1_2_00716AFC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007138E1 1_2_007138E1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00722CE3 1_2_00722CE3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00720CE0 1_2_00720CE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072E4E1 1_2_0072E4E1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072A2E5 1_2_0072A2E5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00714AD3 1_2_00714AD3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072B0D5 1_2_0072B0D5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007168D8 1_2_007168D8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007184D8 1_2_007184D8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007142DE 1_2_007142DE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007148C7 1_2_007148C7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007212B3 1_2_007212B3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072E0B6 1_2_0072E0B6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071BEBD 1_2_0071BEBD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00718EA1 1_2_00718EA1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007126A0 1_2_007126A0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00712C93 1_2_00712C93
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00721494 1_2_00721494
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071AE9E 1_2_0071AE9E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00720082 1_2_00720082
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072E689 1_2_0072E689
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00728489 1_2_00728489
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072197B 1_2_0072197B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072BF69 1_2_0072BF69
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00717B6A 1_2_00717B6A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071A16A 1_2_0071A16A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00729D6D 1_2_00729D6D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00720950 1_2_00720950
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00721F54 1_2_00721F54
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072CB58 1_2_0072CB58
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00713743 1_2_00713743
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071F54C 1_2_0071F54C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072894D 1_2_0072894D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071D535 1_2_0071D535
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00726334 1_2_00726334
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00724D39 1_2_00724D39
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00728721 1_2_00728721
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00729726 1_2_00729726
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072732F 1_2_0072732F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072C92D 1_2_0072C92D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00723F16 1_2_00723F16
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072CF07 1_2_0072CF07
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00717306 1_2_00717306
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00713F0A 1_2_00713F0A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007133F4 1_2_007133F4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071A7FA 1_2_0071A7FA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007229E3 1_2_007229E3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071F7EF 1_2_0071F7EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007207D3 1_2_007207D3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007195DD 1_2_007195DD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072D5DF 1_2_0072D5DF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072C1C2 1_2_0072C1C2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007121C0 1_2_007121C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072E9A2 1_2_0072E9A2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071EBA4 1_2_0071EBA4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072B598 1_2_0072B598
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072539F 1_2_0072539F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071799F 1_2_0071799F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0072DD80 1_2_0072DD80
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00727B8D 1_2_00727B8D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0074303C 1_2_0074303C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00751E14 1_2_00751E14
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
PE file contains strange resources
Source: BsYHxeX7Ok.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: BsYHxeX7Ok.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: classification engine Classification label: mal60.troj.winDLL@4/12@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6404
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9730.tmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: BsYHxeX7Ok.dll Virustotal: Detection: 14%
Source: BsYHxeX7Ok.dll ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00762D98 push 00762E25h; ret 1_2_00762E1D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0077086C push 00770898h; ret 1_2_00770890
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00773848 push 00773874h; ret 1_2_0077386C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00770834 push 00770860h; ret 1_2_00770858
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00764038 push 00764064h; ret 1_2_0076405C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00770020 push 00770058h; ret 1_2_00770050
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073C8F0 push 0073C91Ch; ret 1_2_0073C914
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073B8EC push 0073B92Fh; ret 1_2_0073B927
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007528C8 push 00752933h; ret 1_2_0075292B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073A0B4 push 0073A0E0h; ret 1_2_0073A0D8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007738B8 push 007738E4h; ret 1_2_007738DC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073C8A4 push 0073C8E6h; ret 1_2_0073C8DE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00773880 push 007738ACh; ret 1_2_007738A4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073B964 push 0073B990h; ret 1_2_0073B988
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00770934 push 00770960h; ret 1_2_00770958
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073E9E8 push 0073EA14h; ret 1_2_0073EA0C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00758994 push ecx; mov dword ptr [esp], ecx 1_2_00758998
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073B99C push 0073B9D4h; ret 1_2_0073B9CC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073B274 push 0073B2CDh; ret 1_2_0073B2C5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00738A50 push 00738A7Ch; ret 1_2_00738A74
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073CA58 push 0073CA84h; ret 1_2_0073CA7C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073BA30 push 0073BA5Ch; ret 1_2_0073BA54
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073AA38 push 0073AA87h; ret 1_2_0073AA7F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0076CA20 push 0076CA58h; ret 1_2_0076CA50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0076BAF0 push 0076BB32h; ret 1_2_0076BB2A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073AAE0 push 0073AB0Ch; ret 1_2_0073AB04
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073AAA8 push 0073AAD4h; ret 1_2_0073AACC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00738B7C push 00738BA8h; ret 1_2_00738BA0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0076BB64 push 0076BB90h; ret 1_2_0076BB88
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0073BB60 push 0073BB8Ch; ret 1_2_0073BB84
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00739B64 push 00739BA2h; ret 1_2_00739B9A

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000007.00000003.253017420.000000000479F000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.279948140.0000000004340000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000007.00000002.254441564.0000000004780000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW(
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000003.278361427.0000000002854000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWb
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0071A823 mov eax, dword ptr fs:[00000030h] 1_2_0071A823
Source: C:\Windows\System32\loaddll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to simulate mouse events
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_007384D8 mouse_event,GetSystemMetrics,GetSystemMetrics, 1_2_007384D8

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344139 Sample: BsYHxeX7Ok.dll Startdate: 26/01/2021 Architecture: WINDOWS Score: 60 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Emotet 2->16 18 Machine Learning detection for sample 2->18 6 loaddll32.exe 1 2->6         started        process3 process4 8 WerFault.exe 3 9 6->8         started        10 WerFault.exe 3 9 6->10         started        12 WerFault.exe 2 9 6->12         started       
No contacted IP infos