Windows Analysis Report 6zAcNlJXo7

Overview

General Information

Sample Name: 6zAcNlJXo7 (renamed file extension from none to dll)
Analysis ID: 532221
MD5: c7e23f2764d6ed9b59b0fed69a4488b0
SHA1: 67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256: d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.0.loaddll32.exe.bb0000.9.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: 6zAcNlJXo7.dll Virustotal: Detection: 23% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: 6zAcNlJXo7.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: 6zAcNlJXo7.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.649095483.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.659957517.0000000000832000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED32FE7 FindFirstFileExW, 0_2_6ED32FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED32FE7 FindFirstFileExW, 3_2_6ED32FE7

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 19
Source: WerFault.exe, 00000014.00000003.690493466.0000000005241000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.693988608.0000000005241000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.18.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.695541549.000000000139B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.3202148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6f2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3202148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a33628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a33628.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6f2160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.35f42a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.35f42a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 6zAcNlJXo7.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vxxnweikxwymx\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCED95 0_2_00BCED95
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC3ABE 0_2_00BC3ABE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBAEB9 0_2_00BBAEB9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCB0BA 0_2_00BCB0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC56A9 0_2_00BC56A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB68AD 0_2_00BB68AD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC04A4 0_2_00BC04A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBF4A5 0_2_00BBF4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBC69B 0_2_00BBC69B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBF699 0_2_00BBF699
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBD899 0_2_00BBD899
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB3085 0_2_00BB3085
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD20F8 0_2_00BD20F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBE6FD 0_2_00BBE6FD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBBEF5 0_2_00BBBEF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD06EF 0_2_00BD06EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBA8E8 0_2_00BBA8E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC7EDD 0_2_00BC7EDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD0AD3 0_2_00BD0AD3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB54C0 0_2_00BB54C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB3E3B 0_2_00BB3E3B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCCC3F 0_2_00BCCC3F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC0A37 0_2_00BC0A37
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC0824 0_2_00BC0824
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCBA18 0_2_00BCBA18
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD2C16 0_2_00BD2C16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC1C12 0_2_00BC1C12
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBF20D 0_2_00BBF20D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCE478 0_2_00BCE478
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD1C71 0_2_00BD1C71
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD0C66 0_2_00BD0C66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC645F 0_2_00BC645F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC604E 0_2_00BC604E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB33A9 0_2_00BB33A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC77A7 0_2_00BC77A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCBFA1 0_2_00BCBFA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC6B91 0_2_00BC6B91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB938F 0_2_00BB938F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD1987 0_2_00BD1987
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB7D87 0_2_00BB7D87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBF984 0_2_00BBF984
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB1DF9 0_2_00BB1DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCD5FE 0_2_00BCD5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB6BFE 0_2_00BB6BFE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC91F7 0_2_00BC91F7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBFBEF 0_2_00BBFBEF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBB7EC 0_2_00BBB7EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD35E3 0_2_00BD35E3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCE7DA 0_2_00BCE7DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC89DA 0_2_00BC89DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC13DB 0_2_00BC13DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB5DC3 0_2_00BB5DC3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB39C3 0_2_00BB39C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC4DC5 0_2_00BC4DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC0FC5 0_2_00BC0FC5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2DC5 0_2_00BB2DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB7739 0_2_00BB7739
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC473A 0_2_00BC473A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC3130 0_2_00BC3130
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBE336 0_2_00BBE336
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCCF2C 0_2_00BCCF2C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBB12E 0_2_00BBB12E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB6125 0_2_00BB6125
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC8518 0_2_00BC8518
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB8112 0_2_00BB8112
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB4716 0_2_00BB4716
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB5314 0_2_00BB5314
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC710D 0_2_00BC710D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCD10B 0_2_00BCD10B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD3306 0_2_00BD3306
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC5B7C 0_2_00BC5B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB597D 0_2_00BB597D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2B7C 0_2_00BB2B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2176 0_2_00BB2176
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCC772 0_2_00BCC772
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2575 0_2_00BB2575
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB196D 0_2_00BB196D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB996C 0_2_00BB996C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCF561 0_2_00BCF561
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB5166 0_2_00BB5166
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBDD66 0_2_00BBDD66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD2560 0_2_00BD2560
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB9565 0_2_00BB9565
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB8D59 0_2_00BB8D59
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB635F 0_2_00BB635F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD2D4F 0_2_00BD2D4F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BD314A 0_2_00BD314A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB4F42 0_2_00BB4F42
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BCC145 0_2_00BCC145
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED1A6D0 0_2_6ED1A6D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED1E6E0 0_2_6ED1E6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED166E0 0_2_6ED166E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED15EA0 0_2_6ED15EA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED20F10 0_2_6ED20F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED11C10 0_2_6ED11C10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED175F4 0_2_6ED175F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED19D50 0_2_6ED19D50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED30A61 0_2_6ED30A61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED1D380 0_2_6ED1D380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED138C0 0_2_6ED138C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED201D0 0_2_6ED201D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED1A6D0 3_2_6ED1A6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED1E6E0 3_2_6ED1E6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED166E0 3_2_6ED166E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED15EA0 3_2_6ED15EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED20F10 3_2_6ED20F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED11C10 3_2_6ED11C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED175F4 3_2_6ED175F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED19D50 3_2_6ED19D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED30A61 3_2_6ED30A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED1D380 3_2_6ED1D380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED138C0 3_2_6ED138C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED201D0 3_2_6ED201D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C06EF 12_2_007C06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BED95 12_2_007BED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BE478 12_2_007BE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C1C71 12_2_007C1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C0C66 12_2_007C0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B645F 12_2_007B645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B604E 12_2_007B604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A3E3B 12_2_007A3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BCC3F 12_2_007BCC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B0A37 12_2_007B0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B0824 12_2_007B0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BBA18 12_2_007BBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B1C12 12_2_007B1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C2C16 12_2_007C2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AF20D 12_2_007AF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C20F8 12_2_007C20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AE6FD 12_2_007AE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007ABEF5 12_2_007ABEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AA8E8 12_2_007AA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B7EDD 12_2_007B7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C0AD3 12_2_007C0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A54C0 12_2_007A54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BB0BA 12_2_007BB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AAEB9 12_2_007AAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B3ABE 12_2_007B3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B56A9 12_2_007B56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A68AD 12_2_007A68AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B04A4 12_2_007B04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AF4A5 12_2_007AF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AC69B 12_2_007AC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AF699 12_2_007AF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AD899 12_2_007AD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A3085 12_2_007A3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A2B7C 12_2_007A2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B5B7C 12_2_007B5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A597D 12_2_007A597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BC772 12_2_007BC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A2176 12_2_007A2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A2575 12_2_007A2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A996C 12_2_007A996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A196D 12_2_007A196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BF561 12_2_007BF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A5166 12_2_007A5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007ADD66 12_2_007ADD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C2560 12_2_007C2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A9565 12_2_007A9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A8D59 12_2_007A8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A635F 12_2_007A635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C2D4F 12_2_007C2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C314A 12_2_007C314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A4F42 12_2_007A4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BC145 12_2_007BC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B473A 12_2_007B473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A7739 12_2_007A7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B3130 12_2_007B3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AE336 12_2_007AE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AB12E 12_2_007AB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BCF2C 12_2_007BCF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A6125 12_2_007A6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B8518 12_2_007B8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A8112 12_2_007A8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A4716 12_2_007A4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A5314 12_2_007A5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BD10B 12_2_007BD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B710D 12_2_007B710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C3306 12_2_007C3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A1DF9 12_2_007A1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A6BFE 12_2_007A6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BD5FE 12_2_007BD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B91F7 12_2_007B91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AFBEF 12_2_007AFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AB7EC 12_2_007AB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C35E3 12_2_007C35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B13DB 12_2_007B13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BE7DA 12_2_007BE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B89DA 12_2_007B89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A5DC3 12_2_007A5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A39C3 12_2_007A39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B4DC5 12_2_007B4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B0FC5 12_2_007B0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A2DC5 12_2_007A2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A33A9 12_2_007A33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007BBFA1 12_2_007BBFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B77A7 12_2_007B77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A938F 12_2_007A938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007C1987 12_2_007C1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A7D87 12_2_007A7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007AF984 12_2_007AF984
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6ED11C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6ED2D350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6ED11C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6ED2D350 appears 33 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: 6zAcNlJXo7.dll Virustotal: Detection: 23%
Source: 6zAcNlJXo7.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F19.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winDLL@32/14@0/30
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:2984:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:4764:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4600
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 6zAcNlJXo7.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 6zAcNlJXo7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.649095483.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.659957517.0000000000832000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB005E push esp; iretd 0_2_00BB0061
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB151C push ds; ret 0_2_00BB1527
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB150F push ds; ret 0_2_00BB1527
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED39153 push ecx; ret 0_2_6ED39166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED39153 push ecx; ret 3_2_6ED39166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A005E push esp; iretd 12_2_007A0061
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A151C push ds; ret 12_2_007A1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007A150F push ds; ret 12_2_007A1527
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED1E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6ED1E4E0

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED32FE7 FindFirstFileExW, 0_2_6ED32FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED32FE7 FindFirstFileExW, 3_2_6ED32FE7
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.18.dr Binary or memory string: VMware
Source: Amcache.hve.18.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000014.00000002.693957427.0000000005230000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690547761.0000000005229000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690564207.000000000522F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.693828376.0000000005200000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690533952.0000000005226000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.18.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: WerFault.exe, 00000014.00000002.693957427.0000000005230000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690547761.0000000005229000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690564207.000000000522F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690533952.0000000005226000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWk
Source: Amcache.hve.18.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6ED2D1CC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED1E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6ED1E4E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED11290 GetProcessHeap,HeapAlloc,HeapFree, 0_2_6ED11290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BC4315 mov eax, dword ptr fs:[00000030h] 0_2_00BC4315
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2C050 mov eax, dword ptr fs:[00000030h] 0_2_6ED2C050
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2BFE0 mov esi, dword ptr fs:[00000030h] 0_2_6ED2BFE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2BFE0 mov eax, dword ptr fs:[00000030h] 0_2_6ED2BFE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED312CB mov ecx, dword ptr fs:[00000030h] 0_2_6ED312CB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3298C mov eax, dword ptr fs:[00000030h] 0_2_6ED3298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED2C050 mov eax, dword ptr fs:[00000030h] 3_2_6ED2C050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED2BFE0 mov esi, dword ptr fs:[00000030h] 3_2_6ED2BFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED2BFE0 mov eax, dword ptr fs:[00000030h] 3_2_6ED2BFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED312CB mov ecx, dword ptr fs:[00000030h] 3_2_6ED312CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED3298C mov eax, dword ptr fs:[00000030h] 3_2_6ED3298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_007B4315 mov eax, dword ptr fs:[00000030h] 12_2_007B4315
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBE259 LdrInitializeThunk, 0_2_00BBE259
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6ED2CB22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6ED2D1CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED329E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6ED329E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED2CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6ED2CB22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6ED2D1CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6ED329E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6ED329E6

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2CC44 cpuid 0_2_6ED2CC44
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2CE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6ED2CE15

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.18.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.3202148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6f2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3202148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a33628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.a33628.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6f2160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.13b3b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.35f42a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.35f42a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532221 Sample: 6zAcNlJXo7 Startdate: 01/12/2021 Architecture: WINDOWS Score: 80 39 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->39 41 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->41 43 27 other IPs or domains 2->43 47 Sigma detected: Emotet RunDLL32 Process Creation 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 2 other signatures 2->53 9 loaddll32.exe 1 2->9         started        11 svchost.exe 3 8 2->11         started        signatures3 process4 process5 13 rundll32.exe 2 9->13         started        17 cmd.exe 1 9->17         started        19 rundll32.exe 9->19         started        25 3 other processes 9->25 21 WerFault.exe 11->21         started        23 WerFault.exe 11->23         started        dnsIp6 45 192.168.2.1 unknown unknown 13->45 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->55 27 rundll32.exe 13->27         started        29 rundll32.exe 17->29         started        31 rundll32.exe 19->31         started        33 rundll32.exe 25->33         started        signatures7 process8 process9 35 rundll32.exe 27->35         started        37 rundll32.exe 29->37         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Private
IP
192.168.2.1