Windows Analysis Report FIyE6huzxV

Overview

General Information

Sample Name: FIyE6huzxV (renamed file extension from none to dll)
Analysis ID: 524856
MD5: ae5017480fc46fea5f5b35e684be8639
SHA1: b5f7941d2b2be6fc1ee9a95a214a39404661b2bc
SHA256: 610f8e0834645e2bf2a47c9d7f8cff5e902bef45750f3c2d1ad84bea66b681ca
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.2.rundll32.exe.2e943e0.0.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: FIyE6huzxV.dll Virustotal: Detection: 19% Perma Link
Source: FIyE6huzxV.dll ReversingLabs: Detection: 22%

Compliance:

barindex
Uses 32bit PE files
Source: FIyE6huzxV.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: FIyE6huzxV.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6CD1EE FindFirstFileExA, 1_2_6E6CD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6CD1EE FindFirstFileExA, 3_2_6E6CD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E1A80 FindFirstFileW, 19_2_030E1A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.7:49764 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.773751286.0000000003303000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551975946.000002E1BC900000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551789701.000002E1BC0ED000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000F.00000002.388191444.0000018F9B213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com.
Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmp String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000013.00000002.773553604.00000000032BA000.00000004.00000020.sdmp String found in binary or memory: https://51.178.61.60/Y
Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmp String found in binary or memory: https://51.178.61.60/ixufuEvpOVRaGsMcwVdxxNdVEbwDu
Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.772554273.0000015A28A29000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.772554273.0000015A28A29000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.387669870.0000018F9B264000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000003.387745693.0000018F9B257000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000002.388224173.0000018F9B23A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001E.00000003.533091604.000002E1BCE02000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F1027 InternetReadFile, 19_2_030F1027
Source: global traffic HTTP traffic detected: GET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49764 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode, 1_2_6E6A5EE0

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.loaddll32.exe.90bee8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3505238.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2e943e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2e943e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2a55338.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2a55338.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.30f4200.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.90bee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3505238.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.30f4200.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.351034288.0000000003565000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351194213.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: FIyE6huzxV.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082CAA8 1_2_0082CAA8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081441E 1_2_0081441E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008243B3 1_2_008243B3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00817283 1_2_00817283
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00830687 1_2_00830687
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00824E8A 1_2_00824E8A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082748A 1_2_0082748A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081CC8D 1_2_0081CC8D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813C91 1_2_00813C91
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082D091 1_2_0082D091
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081AC95 1_2_0081AC95
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082AC9B 1_2_0082AC9B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081FEA0 1_2_0081FEA0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082D6A7 1_2_0082D6A7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008278A5 1_2_008278A5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008244AA 1_2_008244AA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081DAAE 1_2_0081DAAE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815AB2 1_2_00815AB2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008290BA 1_2_008290BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008298BD 1_2_008298BD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082BEC9 1_2_0082BEC9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008308D1 1_2_008308D1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00827ED1 1_2_00827ED1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082CCD4 1_2_0082CCD4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00820ADE 1_2_00820ADE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082ECE3 1_2_0082ECE3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082AEEB 1_2_0082AEEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082A8F0 1_2_0082A8F0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082DEF4 1_2_0082DEF4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008130F6 1_2_008130F6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00814C00 1_2_00814C00
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00818C09 1_2_00818C09
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00811A0A 1_2_00811A0A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081220A 1_2_0081220A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00821C10 1_2_00821C10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081E21C 1_2_0081E21C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081F41F 1_2_0081F41F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00825220 1_2_00825220
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081D223 1_2_0081D223
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00819E22 1_2_00819E22
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081EC27 1_2_0081EC27
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082F83F 1_2_0082F83F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00831A3C 1_2_00831A3C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812043 1_2_00812043
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082E441 1_2_0082E441
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813845 1_2_00813845
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812A46 1_2_00812A46
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081A048 1_2_0081A048
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812654 1_2_00812654
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00819A57 1_2_00819A57
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082406E 1_2_0082406E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00811C76 1_2_00811C76
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00819384 1_2_00819384
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081758F 1_2_0081758F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00824D8D 1_2_00824D8D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00814F8E 1_2_00814F8E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081FD91 1_2_0081FD91
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00831193 1_2_00831193
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082B397 1_2_0082B397
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082D99A 1_2_0082D99A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00822FA2 1_2_00822FA2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00829DA1 1_2_00829DA1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00824BAA 1_2_00824BAA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00827BB2 1_2_00827BB2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082B1B5 1_2_0082B1B5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081BFB6 1_2_0081BFB6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008325C3 1_2_008325C3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00816FC4 1_2_00816FC4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081A3DF 1_2_0081A3DF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008155E8 1_2_008155E8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082BFE8 1_2_0082BFE8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008303F1 1_2_008303F1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081C5FE 1_2_0081C5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813502 1_2_00813502
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812309 1_2_00812309
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082FD10 1_2_0082FD10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081251C 1_2_0081251C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815923 1_2_00815923
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00816B25 1_2_00816B25
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0083292B 1_2_0083292B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00830B34 1_2_00830B34
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00831343 1_2_00831343
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813345 1_2_00813345
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082F14D 1_2_0082F14D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081C158 1_2_0081C158
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813F5C 1_2_00813F5C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082056A 1_2_0082056A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00821F6B 1_2_00821F6B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082577E 1_2_0082577E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A6620 1_2_6E6A6620
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A5730 1_2_6E6A5730
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A5EE0 1_2_6E6A5EE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6CC6FE 1_2_6E6CC6FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6AF700 1_2_6E6AF700
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6C3780 1_2_6E6C3780
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6BDC5D 1_2_6E6BDC5D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B1CD0 1_2_6E6B1CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6BDA2D 1_2_6E6BDA2D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A2A80 1_2_6E6A2A80
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6BA29D 1_2_6E6BA29D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6D3074 1_2_6E6D3074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A6620 3_2_6E6A6620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A5730 3_2_6E6A5730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A5EE0 3_2_6E6A5EE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6CC6FE 3_2_6E6CC6FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6AF700 3_2_6E6AF700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6C3780 3_2_6E6C3780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6BDC5D 3_2_6E6BDC5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6B1CD0 3_2_6E6B1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6BDA2D 3_2_6E6BDA2D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A2A80 3_2_6E6A2A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6BA29D 3_2_6E6BA29D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6D3074 3_2_6E6D3074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6D1929 3_2_6E6D1929
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F0B34 19_2_030F0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E4BAA 19_2_030E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E31A6 19_2_030E31A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E47BC 19_2_030E47BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D55E8 19_2_030D55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DC5FE 19_2_030DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D220A 19_2_030D220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D441E 19_2_030D441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DEC27 19_2_030DEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E5220 19_2_030E5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D943C 19_2_030D943C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EF83F 19_2_030EF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D3845 19_2_030D3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D2043 19_2_030D2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E748A 19_2_030E748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DAC95 19_2_030DAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E78A5 19_2_030E78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F08D1 19_2_030F08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EECE3 19_2_030EECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EDEF4 19_2_030EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D30F6 19_2_030D30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D2309 19_2_030D2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D3502 19_2_030D3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D251C 19_2_030D251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EFD10 19_2_030EFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F292B 19_2_030F292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D6B25 19_2_030D6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E6726 19_2_030E6726
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D5923 19_2_030D5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EF14D 19_2_030EF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D3345 19_2_030D3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F1343 19_2_030F1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D3F5C 19_2_030D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DC158 19_2_030DC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E056A 19_2_030E056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E1F6B 19_2_030E1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E4D8D 19_2_030E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D4F8E 19_2_030D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D9384 19_2_030D9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030ED99A 19_2_030ED99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EB397 19_2_030EB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F1193 19_2_030F1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DFD91 19_2_030DFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E2FA2 19_2_030E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E9DA1 19_2_030E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EB1B5 19_2_030EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DBFB6 19_2_030DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E7BB2 19_2_030E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E43B3 19_2_030E43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D6FC4 19_2_030D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F25C3 19_2_030F25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DA3DF 19_2_030DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EBFE8 19_2_030EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F03F1 19_2_030F03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D8C09 19_2_030D8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D1A0A 19_2_030D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D4C00 19_2_030D4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DE21C 19_2_030DE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DF41F 19_2_030DF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E1C10 19_2_030E1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DD223 19_2_030DD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D9E22 19_2_030D9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F1A3C 19_2_030F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DA048 19_2_030DA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D2A46 19_2_030D2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EE441 19_2_030EE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D2654 19_2_030D2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D9A57 19_2_030D9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E406E 19_2_030E406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D1C76 19_2_030D1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DCC8D 19_2_030DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E4E8A 19_2_030E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030F0687 19_2_030F0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D7283 19_2_030D7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EAC9B 19_2_030EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D3C91 19_2_030D3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030ED091 19_2_030ED091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DDAAE 19_2_030DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030ECAA8 19_2_030ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030ED6A7 19_2_030ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030DFEA0 19_2_030DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E66BC 19_2_030E66BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E98BD 19_2_030E98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E90BA 19_2_030E90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D5AB2 19_2_030D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EBEC9 19_2_030EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E0ADE 19_2_030E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030ECCD4 19_2_030ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EAEEB 19_2_030EAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EA8F0 19_2_030EA8F0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E6B5BE0 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E6B5BE0 appears 46 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A13F0 zwxnlwalmcbgmt, 1_2_6E6A13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A13F0 zwxnlwalmcbgmt, 3_2_6E6A13F0
Sample file is different than original file name gathered from version info
Source: FIyE6huzxV.dll Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs FIyE6huzxV.dll
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: FIyE6huzxV.dll Virustotal: Detection: 19%
Source: FIyE6huzxV.dll ReversingLabs: Detection: 22%
Source: FIyE6huzxV.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@37/7@0/21
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6ABC70 SHGetFolderPathW,CoCreateInstance, 1_2_6E6ABC70
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E1B54 CreateToolhelp32Snapshot, 19_2_030E1B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5408:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6AEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 1_2_6E6AEBD0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\System32\BackgroundTransferHost.exe Automated click: OK
Source: FIyE6huzxV.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: FIyE6huzxV.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FIyE6huzxV.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FIyE6huzxV.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FIyE6huzxV.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FIyE6huzxV.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00811229 push eax; retf 1_2_0081129A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B5C26 push ecx; ret 1_2_6E6B5C39
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6D8067 push ecx; ret 1_2_6E6D807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6B5C26 push ecx; ret 3_2_6E6B5C39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6D8067 push ecx; ret 3_2_6E6D807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E6134 push edi; retf 0040h 19_2_030E6135
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E475A pushfd ; iretd 19_2_030E475B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030D1229 push eax; retf 19_2_030D129A
PE file contains an invalid checksum
Source: FIyE6huzxV.dll Static PE information: real checksum: 0x81586 should be: 0x7a3ed

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E6A6672 second address: 000000006E6A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD278BE2511h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E6A8A23 second address: 000000006E6A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD278BF905Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E6A6672 second address: 000000006E6A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD278BE2511h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E6A8A23 second address: 000000006E6A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD278BF905Eh 0x00000007 rdtscp
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6572 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6576 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4460 Thread sleep time: -180000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A6620 rdtscp 1_2_6E6A6620
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6CD1EE FindFirstFileExA, 1_2_6E6CD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6CD1EE FindFirstFileExA, 3_2_6E6CD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030E1A80 FindFirstFileW, 19_2_030E1A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 0000001E.00000003.550373465.000002E1BC082000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: svchost.exe, 00000006.00000002.632380609.0000019BAE229000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551731215.000002E1BC0E1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000002.772886609.0000015A28A69000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.772237774.000001CBF3629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW&Z=

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E6BED41
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B846D GetProcessHeap,HeapFree,InterlockedPushEntrySList, 1_2_6E6B846D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A6620 rdtscp 1_2_6E6A6620
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0082DE10 mov eax, dword ptr fs:[00000030h] 1_2_0082DE10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A6620 mov ecx, dword ptr fs:[00000030h] 1_2_6E6A6620
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B849D mov esi, dword ptr fs:[00000030h] 1_2_6E6B849D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A6510 mov eax, dword ptr fs:[00000030h] 1_2_6E6A6510
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6A8A50 mov eax, dword ptr fs:[00000030h] 1_2_6E6A8A50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6C69AA mov eax, dword ptr fs:[00000030h] 1_2_6E6C69AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A6620 mov ecx, dword ptr fs:[00000030h] 3_2_6E6A6620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6B849D mov esi, dword ptr fs:[00000030h] 3_2_6E6B849D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A6510 mov eax, dword ptr fs:[00000030h] 3_2_6E6A6510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6A8A50 mov eax, dword ptr fs:[00000030h] 3_2_6E6A8A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6C69AA mov eax, dword ptr fs:[00000030h] 3_2_6E6C69AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_030EDE10 mov eax, dword ptr fs:[00000030h] 19_2_030EDE10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E6BED41
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6E6B5239
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E6B5ABD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E6BED41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E6B5239
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E6B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E6B5ABD

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 Jump to behavior
Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6E6D5F10
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_6E6D57AC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E6D5DE7
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E6CDD93
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E6D5A6F
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E6D5A24
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E6CE2F8
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E6D5B0A
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E6D5B97
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E6D6017
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E6D60E4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E6D597B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E6D5F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E6D57AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E6D5DE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E6CDD93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E6D5A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E6D5A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E6CE2F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E6D5B0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E6D5B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E6D6017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E6D60E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E6D597B
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B5916 cpuid 1_2_6E6B5916
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E6B5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6E6B5C3C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000011.00000002.772444199.00000294AAB02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.loaddll32.exe.90bee8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3505238.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2e943e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2e943e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2a55338.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2a55338.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.30f4200.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.90bee8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3505238.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.30f4200.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.351034288.0000000003565000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351194213.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524856 Sample: FIyE6huzxV Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 48 85.214.67.203 STRATOSTRATOAGDE Germany 2->48 50 195.154.146.35 OnlineSASFR France 2->50 52 17 other IPs or domains 2->52 58 Sigma detected: Emotet RunDLL32 Process Creation 2->58 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 3 other signatures 2->64 9 loaddll32.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 70 Tries to detect virtualization through RDTSC time measurements 9->70 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 rundll32.exe 9->24         started        28 2 other processes 9->28 72 Changes security center settings (notifications, updates, antivirus, firewall) 12->72 26 MpCmdRun.exe 12->26         started        56 127.0.0.1 unknown unknown 14->56 signatures6 process7 signatures8 66 Tries to detect virtualization through RDTSC time measurements 19->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 30 rundll32.exe 19->30         started        32 rundll32.exe 22->32         started        34 rundll32.exe 24->34         started        36 conhost.exe 26->36         started        38 rundll32.exe 28->38         started        process9 process10 40 rundll32.exe 30->40         started        44 rundll32.exe 32->44         started        46 BackgroundTransferHost.exe 32->46         started        dnsIp11 54 51.178.61.60, 443, 49764 OVHFR France 40->54 74 System process connects to network (likely due to code injection or exploit) 40->74 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Private
IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://51.178.61.60/ixufuEvpOVRaGsMcwVdxxNdVEbwDu true
  • Avira URL Cloud: safe
 unknown