Windows Analysis Report Zd9TtpY4Kh.dll

Overview

General Information

Sample Name: Zd9TtpY4Kh.dll
Analysis ID: 532296
MD5: 71eea35f36f3642fdbb94d9310e87747
SHA1: 25bcd5a134df55a5465ebe39f57bf758d5672197
SHA256: bbadafe48d63d23d3a2ebb4a4103e32646d314d5ffb8e2551d62270f8b3ec352
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Zd9TtpY4Kh.dll Virustotal: Detection: 18% Perma Link
Source: Zd9TtpY4Kh.dll ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: Zd9TtpY4Kh.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: Zd9TtpY4Kh.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556334837.0000000004B97000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.566852906.0000000002B52000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B0927 FindFirstFileExW, 0_2_6E9B0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9B0927 FindFirstFileExW, 3_2_6E9B0927
Source: svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001E.00000003.665066755.0000020D89D98000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001E.00000003.665066755.0000020D89D98000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.665031982.0000020D89D87000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmp String found in binary or memory: http://crl.m
Source: WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.22.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000B.00000002.428918410.000002C111813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.comt
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.comlCount
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000002.444224118.000002C11186B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403182964.000002C111869000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000002.442381647.000002C111861000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403199024.000002C111860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.403212606.000002C111849000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.438698204.000002C11184A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.403189842.000002C111865000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.403196324.000002C111863000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.403221693.000002C111842000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403228395.000002C111843000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.437894067.000002C111844000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.437291550.000002C111841000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.433607241.000002C111829000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.403231939.000002C11183E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.368982920.000002C111835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000003.403235220.000002C111850000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.440105242.000002C111856000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.403202396.000002C11184D000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001E.00000003.655732792.0000020D89D8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655842295.0000020D89D6B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.655765717.0000020D89DCF000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001E.00000003.657779525.0000020D89D79000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.2.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3152160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e92148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e92148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.34220a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.32e2240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3152160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.34220a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.32e2240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.662460484.00000000032CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.552293543.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.568744360.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.547372307.000000000340A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.547349453.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.547377185.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.552423599.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.569816044.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.569948888.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.548909255.0000000002F80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.568827402.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.598491073.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.518552205.00000000030C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.547342704.0000000003370000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.551169265.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.549093887.000000000313A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.598587675.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.662344438.0000000003210000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: Zd9TtpY4Kh.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B11291 0_2_00B11291
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0CE90 0_2_00B0CE90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B00A93 0_2_00B00A93
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFF48A 0_2_00AFF48A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B00E97 0_2_00B00E97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0E899 0_2_00B0E899
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0009A 0_2_00B0009A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0A29B 0_2_00B0A29B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFA083 0_2_00AFA083
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFFE9D 0_2_00AFFE9D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B062F5 0_2_00B062F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFC0EA 0_2_00AFC0EA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B04CF5 0_2_00B04CF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF40E2 0_2_00AF40E2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B040FE 0_2_00B040FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF1EFB 0_2_00AF1EFB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF46FA 0_2_00AF46FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B056E9 0_2_00B056E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF84F0 0_2_00AF84F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B052D1 0_2_00B052D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B028D5 0_2_00B028D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B11CDB 0_2_00B11CDB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF2CC2 0_2_00AF2CC2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF92C1 0_2_00AF92C1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF90D4 0_2_00AF90D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B010CD 0_2_00B010CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B120CE 0_2_00B120CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF3228 0_2_00AF3228
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF9824 0_2_00AF9824
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF243F 0_2_00AF243F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF3432 0_2_00AF3432
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0282D 0_2_00B0282D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF800A 0_2_00AF800A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1261E 0_2_00B1261E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0C205 0_2_00B0C205
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF3A6C 0_2_00AF3A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF6869 0_2_00AF6869
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0B677 0_2_00B0B677
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFB464 0_2_00AFB464
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFEE60 0_2_00AFEE60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF387F 0_2_00AF387F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFFA78 0_2_00AFFA78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFAA4E 0_2_00AFAA4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF544C 0_2_00AF544C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0EA55 0_2_00B0EA55
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFAE43 0_2_00AFAE43
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B03043 0_2_00B03043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFCE5A 0_2_00AFCE5A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B07445 0_2_00B07445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF6453 0_2_00AF6453
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0E3B5 0_2_00B0E3B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B085B8 0_2_00B085B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0D7BE 0_2_00B0D7BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF59BF 0_2_00AF59BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF43BE 0_2_00AF43BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B089A2 0_2_00B089A2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B00BA4 0_2_00B00BA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0DDA5 0_2_00B0DDA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0E5A7 0_2_00B0E5A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B01591 0_2_00B01591
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF358B 0_2_00AF358B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF4B81 0_2_00AF4B81
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF8D80 0_2_00AF8D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B03782 0_2_00B03782
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0DB87 0_2_00B0DB87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF7795 0_2_00AF7795
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFB191 0_2_00AFB191
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF51EC 0_2_00AF51EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFA3E7 0_2_00AFA3E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0EDED 0_2_00B0EDED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF19C0 0_2_00AF19C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF75D2 0_2_00AF75D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFA92F 0_2_00AFA92F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0CD35 0_2_00B0CD35
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFF73B 0_2_00AFF73B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B09124 0_2_00B09124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF4D1E 0_2_00AF4D1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0970A 0_2_00B0970A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0E10A 0_2_00B0E10A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFCB13 0_2_00AFCB13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B03D0C 0_2_00B03D0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0BF0C 0_2_00B0BF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B0590E 0_2_00B0590E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B10370 0_2_00B10370
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFCF6E 0_2_00AFCF6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AFBD61 0_2_00AFBD61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B06540 0_2_00B06540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9977B4 0_2_6E9977B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E999F10 0_2_6E999F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E991DE0 0_2_6E991DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E99D530 0_2_6E99D530
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E993A90 0_2_6E993A90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9A0380 0_2_6E9A0380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AE3A1 0_2_6E9AE3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E99A890 0_2_6E99A890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E99E890 0_2_6E99E890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9968B0 0_2_6E9968B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9A10C0 0_2_6E9A10C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E996070 0_2_6E996070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F840FE 3_2_02F840FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F810CD 3_2_02F810CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F792C1 3_2_02F792C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F920CE 3_2_02F920CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F91291 3_2_02F91291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7B464 3_2_02F7B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8EA55 3_2_02F8EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7243F 3_2_02F7243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F79824 3_2_02F79824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F83782 3_2_02F83782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8DB87 3_2_02F8DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7CF6E 3_2_02F7CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F89124 3_2_02F89124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F83D0C 3_2_02F83D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F784F0 3_2_02F784F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F71EFB 3_2_02F71EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F862F5 3_2_02F862F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F746FA 3_2_02F746FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F84CF5 3_2_02F84CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F856E9 3_2_02F856E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F740E2 3_2_02F740E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7C0EA 3_2_02F7C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F91CDB 3_2_02F91CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F790D4 3_2_02F790D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F852D1 3_2_02F852D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F828D5 3_2_02F828D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F72CC2 3_2_02F72CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8E899 3_2_02F8E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8009A 3_2_02F8009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8A29B 3_2_02F8A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8CE90 3_2_02F8CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7FE9D 3_2_02F7FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F80A93 3_2_02F80A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F80E97 3_2_02F80E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7A083 3_2_02F7A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7F48A 3_2_02F7F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7387F 3_2_02F7387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8B677 3_2_02F8B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7FA78 3_2_02F7FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7EE60 3_2_02F7EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F73A6C 3_2_02F73A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F76869 3_2_02F76869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F76453 3_2_02F76453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7CE5A 3_2_02F7CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7AE43 3_2_02F7AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7AA4E 3_2_02F7AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F83043 3_2_02F83043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7544C 3_2_02F7544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F87445 3_2_02F87445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F73432 3_2_02F73432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8282D 3_2_02F8282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F73228 3_2_02F73228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F9261E 3_2_02F9261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8C205 3_2_02F8C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7800A 3_2_02F7800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7A3E7 3_2_02F7A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8EDED 3_2_02F8EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F751EC 3_2_02F751EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F775D2 3_2_02F775D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F719C0 3_2_02F719C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F885B8 3_2_02F885B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8D7BE 3_2_02F8D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F759BF 3_2_02F759BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F743BE 3_2_02F743BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8E3B5 3_2_02F8E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F889A2 3_2_02F889A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F80BA4 3_2_02F80BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8DDA5 3_2_02F8DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8E5A7 3_2_02F8E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F77795 3_2_02F77795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7B191 3_2_02F7B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F81591 3_2_02F81591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F74B81 3_2_02F74B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F78D80 3_2_02F78D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7358B 3_2_02F7358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F90370 3_2_02F90370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7BD61 3_2_02F7BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F86540 3_2_02F86540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7F73B 3_2_02F7F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8CD35 3_2_02F8CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7A92F 3_2_02F7A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F7CB13 3_2_02F7CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F74D1E 3_2_02F74D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8970A 3_2_02F8970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8E10A 3_2_02F8E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8BF0C 3_2_02F8BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F8590E 3_2_02F8590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E999F10 3_2_6E999F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E991DE0 3_2_6E991DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E99D530 3_2_6E99D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E993A90 3_2_6E993A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9A0380 3_2_6E9A0380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9AE3A1 3_2_6E9AE3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E99A890 3_2_6E99A890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E99E890 3_2_6E99E890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9968B0 3_2_6E9968B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9A10C0 3_2_6E9A10C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E996070 3_2_6E996070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FA1291 4_2_02FA1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9EA55 4_2_02F9EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F846FA 4_2_02F846FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F81EFB 4_2_02F81EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F940FE 4_2_02F940FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F884F0 4_2_02F884F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F962F5 4_2_02F962F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F94CF5 4_2_02F94CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F956E9 4_2_02F956E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8C0EA 4_2_02F8C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F840E2 4_2_02F840E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FA1CDB 4_2_02FA1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F952D1 4_2_02F952D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F890D4 4_2_02F890D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F928D5 4_2_02F928D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FA20CE 4_2_02FA20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F910CD 4_2_02F910CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F892C1 4_2_02F892C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F82CC2 4_2_02F82CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9E899 4_2_02F9E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9A29B 4_2_02F9A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9009A 4_2_02F9009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8FE9D 4_2_02F8FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9CE90 4_2_02F9CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F90A93 4_2_02F90A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F90E97 4_2_02F90E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8F48A 4_2_02F8F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8A083 4_2_02F8A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8FA78 4_2_02F8FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8387F 4_2_02F8387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9B677 4_2_02F9B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F86869 4_2_02F86869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F83A6C 4_2_02F83A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8EE60 4_2_02F8EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8B464 4_2_02F8B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8CE5A 4_2_02F8CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F86453 4_2_02F86453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8544C 4_2_02F8544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8AA4E 4_2_02F8AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F93043 4_2_02F93043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8AE43 4_2_02F8AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F97445 4_2_02F97445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8243F 4_2_02F8243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F83432 4_2_02F83432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F83228 4_2_02F83228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9282D 4_2_02F9282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F89824 4_2_02F89824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FA261E 4_2_02FA261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8800A 4_2_02F8800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9C205 4_2_02F9C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9EDED 4_2_02F9EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F851EC 4_2_02F851EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8A3E7 4_2_02F8A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F875D2 4_2_02F875D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F819C0 4_2_02F819C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F985B8 4_2_02F985B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F843BE 4_2_02F843BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F859BF 4_2_02F859BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9D7BE 4_2_02F9D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9E3B5 4_2_02F9E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F989A2 4_2_02F989A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9DDA5 4_2_02F9DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F90BA4 4_2_02F90BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9E5A7 4_2_02F9E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F91591 4_2_02F91591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8B191 4_2_02F8B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F87795 4_2_02F87795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8358B 4_2_02F8358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F88D80 4_2_02F88D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F84B81 4_2_02F84B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F93782 4_2_02F93782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9DB87 4_2_02F9DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FA0370 4_2_02FA0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8CF6E 4_2_02F8CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8BD61 4_2_02F8BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F96540 4_2_02F96540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8F73B 4_2_02F8F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9CD35 4_2_02F9CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8A92F 4_2_02F8A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F99124 4_2_02F99124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F84D1E 4_2_02F84D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F8CB13 4_2_02F8CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9970A 4_2_02F9970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9E10A 4_2_02F9E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F93D0C 4_2_02F93D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9BF0C 4_2_02F9BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F9590E 4_2_02F9590E
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E991DE0 appears 97 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E9AAC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E991DE0 appears 89 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E9AAC90 appears 33 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: Zd9TtpY4Kh.dll Virustotal: Detection: 18%
Source: Zd9TtpY4Kh.dll ReversingLabs: Detection: 17%
Source: Zd9TtpY4Kh.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",YYthscLHd Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER99E3.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winDLL@45/22@0/0
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5216:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7160
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:3544:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5672:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Zd9TtpY4Kh.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Zd9TtpY4Kh.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556334837.0000000004B97000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.556384233.00000000030A8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556472913.00000000030A8000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.556517753.00000000030A2000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.556378070.00000000030A2000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.559101637.0000000004F21000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585714849.0000000004A41000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.566852906.0000000002B52000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.574278186.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.573540381.000000000088B000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00AF13E7 push esi; retf 0_2_00AF13F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B6A93 push ecx; ret 0_2_6E9B6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F713E7 push esi; retf 3_2_02F713F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9B6A93 push ecx; ret 3_2_6E9B6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E997B08 push es; retf 3_2_6E997B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F813E7 push esi; retf 4_2_02F813F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E99E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E99E690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Lklkgjuftglvvvqq\zogfgblopvxymh.tnq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 924 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B0927 FindFirstFileExW, 0_2_6E9B0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9B0927 FindFirstFileExW, 3_2_6E9B0927
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.22.dr Binary or memory string: VMware
Source: Amcache.hve.22.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.22.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.22.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr Binary or memory string: VMware7,1
Source: Amcache.hve.22.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000001.00000002.682610533.0000025E21402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: WerFault.exe, 00000019.00000002.597687109.00000000046C6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.597736196.00000000046F6000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595782646.00000000046F4000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.595850658.00000000046C6000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.22.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.22.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: svchost.exe, 00000001.00000002.682665171.0000025E21428000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: Amcache.hve.22.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000005.00000002.682659763.0000024A58841000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.682371732.000001E0B4629000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.593861160.00000000046DC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9AAB0C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E99E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E99E690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E991290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 0_2_6E991290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B007D2 mov eax, dword ptr fs:[00000030h] 0_2_00B007D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9A9990 mov eax, dword ptr fs:[00000030h] 0_2_6E9A9990
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AEC0B mov ecx, dword ptr fs:[00000030h] 0_2_6E9AEC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B02CC mov eax, dword ptr fs:[00000030h] 0_2_6E9B02CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9A9920 mov esi, dword ptr fs:[00000030h] 0_2_6E9A9920
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9A9920 mov eax, dword ptr fs:[00000030h] 0_2_6E9A9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02F807D2 mov eax, dword ptr fs:[00000030h] 3_2_02F807D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9A9990 mov eax, dword ptr fs:[00000030h] 3_2_6E9A9990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9AEC0B mov ecx, dword ptr fs:[00000030h] 3_2_6E9AEC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9B02CC mov eax, dword ptr fs:[00000030h] 3_2_6E9B02CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9A9920 mov esi, dword ptr fs:[00000030h] 3_2_6E9A9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9A9920 mov eax, dword ptr fs:[00000030h] 3_2_6E9A9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F907D2 mov eax, dword ptr fs:[00000030h] 4_2_02F907D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B028D5 LdrInitializeThunk, 0_2_00B028D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E9AA462
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9AAB0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9B0326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9AA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E9AA462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9AAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E9AAB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9B0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E9B0326

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7160 -ip 7160 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 320 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7160 -ip 7160 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 328 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.552534627.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570145922.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.568927758.0000000001410000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.551349425.0000000001410000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.683234293.000001BF1B990000.00000002.00020000.sdmp, rundll32.exe, 00000020.00000002.684873888.0000000003380000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AA584 cpuid 0_2_6E9AA584
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9AA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E9AA755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.22.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000D.00000002.683335686.000001D56DE40000.00000004.00000001.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.683184608.000001D56DE29000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.683539954.000001D56DF02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.2.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3152160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e92148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e92148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.c43b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c43b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.34220a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.32e2240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3152160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.34220a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.af0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.32e2240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.551258636.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.549497176.0000000002F70000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.662460484.00000000032CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.552293543.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.568744360.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.547372307.000000000340A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.547349453.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.547377185.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.552423599.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.569816044.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.569948888.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.548909255.0000000002F80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.568827402.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.598491073.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.518552205.00000000030C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.547342704.0000000003370000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.551169265.0000000000AF0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.549093887.000000000313A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.598587675.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.662344438.0000000003210000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532296 Sample: Zd9TtpY4Kh.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 48 Sigma detected: Emotet RunDLL32 Process Creation 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Emotet 2->52 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        15 9 other processes 2->15 process3 signatures4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        30 3 other processes 8->30 54 Changes security center settings (notifications, updates, antivirus, firewall) 10->54 24 MpCmdRun.exe 10->24         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        process5 signatures6 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 32 rundll32.exe 17->32         started        34 rundll32.exe 20->34         started        36 rundll32.exe 22->36         started        38 conhost.exe 24->38         started        40 rundll32.exe 30->40         started        process7 process8 42 rundll32.exe 32->42         started        44 rundll32.exe 34->44         started       
No contacted IP infos