Windows Analysis Report 5i3yQOSqTm.dll

Overview

General Information

Sample Name: 5i3yQOSqTm.dll
Analysis ID: 532299
MD5: 1e3db971ac31b856864c12b55bcc4435
SHA1: 8f47d8c2d75df496a20b5ddaec949f9524c60a66
SHA256: df1aec18655ffd091bac7e217ad7334c30d99bd906ec9269d0a38c5c92267fbd
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 5i3yQOSqTm.dll Virustotal: Detection: 19% Perma Link
Source: 5i3yQOSqTm.dll ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: 5i3yQOSqTm.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: 5i3yQOSqTm.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.551496260.0000000004CE0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551418206.0000000004CDB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551636970.0000000003136000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551849737.0000000003130000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.561663979.0000000002E32000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA20927 FindFirstFileExW, 0_2_6EA20927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA20927 FindFirstFileExW, 2_2_6EA20927
Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.656991746.000001B06159E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001D.00000003.656966798.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.656991746.000001B06159E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: WerFault.exe, 0000001A.00000003.592277871.0000000004DAB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.593854675.0000000004DBD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.592359463.0000000004DBC000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.671803224.000001B061500000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001D.00000002.671610507.000001B060CF0000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000002.558793668.00000133DC813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.558937276.00000133DC86B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558300449.00000133DC869000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.558907657.00000133DC861000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558341613.00000133DC860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.558365403.00000133DC849000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558876855.00000133DC84A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.558377257.00000133DC847000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558341613.00000133DC860000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.558336643.00000133DC863000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.558858690.00000133DC844000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558393707.00000133DC843000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558382669.00000133DC842000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.558845183.00000133DC841000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.558817901.00000133DC829000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.511519063.00000133DC835000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558399420.00000133DC83E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.558347329.00000133DC84D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.558405102.00000133DC850000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.558891905.00000133DC856000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001D.00000003.653107268.000001B061559000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653378746.000001B06157C000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653146089.000001B0615AD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.653434051.000001B0615CB000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001D.00000003.654408703.000001B06158D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654457707.000001B0615D6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654487337.000001B061A02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654472024.000001B0615BF000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654423954.000001B06159E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.654435460.000001B0615D6000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000000.565990716.0000000000D6B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a2148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.8320a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.dd2160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a2148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.4540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.4540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.dd2160.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.c62468.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.8320a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.c62468.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.539257826.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.544278858.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.566017355.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.565844645.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.544809627.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.564089777.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.539444017.0000000000940000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.564150952.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.513866249.0000000000BD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.532223099.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.539407249.000000000081A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.661436675.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.594452020.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.546379647.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.543487140.0000000000E70000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.662192713.0000000004540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.544682886.0000000000B10000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 5i3yQOSqTm.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Pmleysyipg\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B31291 0_2_00B31291
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B20A93 0_2_00B20A93
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2CE90 0_2_00B2CE90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B20E97 0_2_00B20E97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2009A 0_2_00B2009A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2A29B 0_2_00B2A29B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2E899 0_2_00B2E899
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1FE9D 0_2_00B1FE9D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1A083 0_2_00B1A083
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1F48A 0_2_00B1F48A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B184F0 0_2_00B184F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B262F5 0_2_00B262F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B24CF5 0_2_00B24CF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B11EFB 0_2_00B11EFB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B146FA 0_2_00B146FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B240FE 0_2_00B240FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B140E2 0_2_00B140E2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1C0EA 0_2_00B1C0EA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B256E9 0_2_00B256E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B252D1 0_2_00B252D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B190D4 0_2_00B190D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B228D5 0_2_00B228D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B31CDB 0_2_00B31CDB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B192C1 0_2_00B192C1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B12CC2 0_2_00B12CC2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B320CE 0_2_00B320CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B210CD 0_2_00B210CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B13432 0_2_00B13432
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1243F 0_2_00B1243F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B19824 0_2_00B19824
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B13228 0_2_00B13228
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2282D 0_2_00B2282D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B3261E 0_2_00B3261E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2C205 0_2_00B2C205
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1800A 0_2_00B1800A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2B677 0_2_00B2B677
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1FA78 0_2_00B1FA78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1387F 0_2_00B1387F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1EE60 0_2_00B1EE60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1B464 0_2_00B1B464
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B16869 0_2_00B16869
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B13A6C 0_2_00B13A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B16453 0_2_00B16453
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2EA55 0_2_00B2EA55
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1CE5A 0_2_00B1CE5A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B23043 0_2_00B23043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1AE43 0_2_00B1AE43
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B27445 0_2_00B27445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1544C 0_2_00B1544C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1AA4E 0_2_00B1AA4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2E3B5 0_2_00B2E3B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B285B8 0_2_00B285B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2D7BE 0_2_00B2D7BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B159BF 0_2_00B159BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B143BE 0_2_00B143BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B289A2 0_2_00B289A2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2E5A7 0_2_00B2E5A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B20BA4 0_2_00B20BA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2DDA5 0_2_00B2DDA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1B191 0_2_00B1B191
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B21591 0_2_00B21591
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B17795 0_2_00B17795
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B14B81 0_2_00B14B81
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B23782 0_2_00B23782
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B18D80 0_2_00B18D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2DB87 0_2_00B2DB87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1358B 0_2_00B1358B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1A3E7 0_2_00B1A3E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B151EC 0_2_00B151EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2EDED 0_2_00B2EDED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B175D2 0_2_00B175D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B119C0 0_2_00B119C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2CD35 0_2_00B2CD35
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1F73B 0_2_00B1F73B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B29124 0_2_00B29124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1A92F 0_2_00B1A92F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1CB13 0_2_00B1CB13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B14D1E 0_2_00B14D1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2970A 0_2_00B2970A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2E10A 0_2_00B2E10A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2590E 0_2_00B2590E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B23D0C 0_2_00B23D0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B2BF0C 0_2_00B2BF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B30370 0_2_00B30370
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1BD61 0_2_00B1BD61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B1CF6E 0_2_00B1CF6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B26540 0_2_00B26540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA077B4 0_2_6EA077B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA09F10 0_2_6EA09F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA01DE0 0_2_6EA01DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0D530 0_2_6EA0D530
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA03A90 0_2_6EA03A90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1E3A1 0_2_6EA1E3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA10380 0_2_6EA10380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA068B0 0_2_6EA068B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0A890 0_2_6EA0A890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0E890 0_2_6EA0E890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA110C0 0_2_6EA110C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA06070 0_2_6EA06070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA077B4 2_2_6EA077B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA09F10 2_2_6EA09F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA01DE0 2_2_6EA01DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA0D530 2_2_6EA0D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA03A90 2_2_6EA03A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA1E3A1 2_2_6EA1E3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA10380 2_2_6EA10380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA068B0 2_2_6EA068B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA0A890 2_2_6EA0A890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA0E890 2_2_6EA0E890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA110C0 2_2_6EA110C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA06070 2_2_6EA06070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EEA55 3_2_046EEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046F1291 3_2_046F1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D3A6C 3_2_046D3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D6869 3_2_046D6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DB464 3_2_046DB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DEE60 3_2_046DEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D387F 3_2_046D387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DFA78 3_2_046DFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EB677 3_2_046EB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D544C 3_2_046D544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DAA4E 3_2_046DAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E7445 3_2_046E7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E3043 3_2_046E3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DAE43 3_2_046DAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DCE5A 3_2_046DCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D6453 3_2_046D6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E282D 3_2_046E282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D3228 3_2_046D3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D9824 3_2_046D9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D243F 3_2_046D243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D3432 3_2_046D3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D800A 3_2_046D800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EC205 3_2_046EC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046F261E 3_2_046F261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DC0EA 3_2_046DC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E56E9 3_2_046E56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D40E2 3_2_046D40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E40FE 3_2_046E40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D1EFB 3_2_046D1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D46FA 3_2_046D46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E62F5 3_2_046E62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E4CF5 3_2_046E4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D84F0 3_2_046D84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046F20CE 3_2_046F20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E10CD 3_2_046E10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D92C1 3_2_046D92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D2CC2 3_2_046D2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046F1CDB 3_2_046F1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D90D4 3_2_046D90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E28D5 3_2_046E28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E52D1 3_2_046E52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DF48A 3_2_046DF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DA083 3_2_046DA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DFE9D 3_2_046DFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E009A 3_2_046E009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EA29B 3_2_046EA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EE899 3_2_046EE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E0E97 3_2_046E0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E0A93 3_2_046E0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046ECE90 3_2_046ECE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DCF6E 3_2_046DCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DBD61 3_2_046DBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046F0370 3_2_046F0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E6540 3_2_046E6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DA92F 3_2_046DA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E9124 3_2_046E9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DF73B 3_2_046DF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046ECD35 3_2_046ECD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E590E 3_2_046E590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E3D0C 3_2_046E3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EBF0C 3_2_046EBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E970A 3_2_046E970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EE10A 3_2_046EE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D4D1E 3_2_046D4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DCB13 3_2_046DCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D51EC 3_2_046D51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EEDED 3_2_046EEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DA3E7 3_2_046DA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D19C0 3_2_046D19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D75D2 3_2_046D75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EE5A7 3_2_046EE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E0BA4 3_2_046E0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EDDA5 3_2_046EDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E89A2 3_2_046E89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046ED7BE 3_2_046ED7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D59BF 3_2_046D59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D43BE 3_2_046D43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E85B8 3_2_046E85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EE3B5 3_2_046EE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D358B 3_2_046D358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046EDB87 3_2_046EDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D4B81 3_2_046D4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E3782 3_2_046E3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D8D80 3_2_046D8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D7795 3_2_046D7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046DB191 3_2_046DB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E1591 3_2_046E1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00961291 6_2_00961291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095EA55 6_2_0095EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00950E97 6_2_00950E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095CE90 6_2_0095CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00950A93 6_2_00950A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094FE9D 6_2_0094FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095E899 6_2_0095E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095A29B 6_2_0095A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095009A 6_2_0095009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094A083 6_2_0094A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094F48A 6_2_0094F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009490D4 6_2_009490D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009528D5 6_2_009528D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009552D1 6_2_009552D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00961CDB 6_2_00961CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009492C1 6_2_009492C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00942CC2 6_2_00942CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009620CE 6_2_009620CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009510CD 6_2_009510CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009562F5 6_2_009562F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00954CF5 6_2_00954CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009484F0 6_2_009484F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009540FE 6_2_009540FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009446FA 6_2_009446FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00941EFB 6_2_00941EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009440E2 6_2_009440E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009556E9 6_2_009556E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094C0EA 6_2_0094C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096261E 6_2_0096261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095C205 6_2_0095C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094800A 6_2_0094800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00943432 6_2_00943432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094243F 6_2_0094243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00949824 6_2_00949824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095282D 6_2_0095282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00943228 6_2_00943228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00946453 6_2_00946453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094CE5A 6_2_0094CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00957445 6_2_00957445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00953043 6_2_00953043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094AE43 6_2_0094AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094544C 6_2_0094544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094AA4E 6_2_0094AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095B677 6_2_0095B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094387F 6_2_0094387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094FA78 6_2_0094FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094B464 6_2_0094B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094EE60 6_2_0094EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00943A6C 6_2_00943A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00946869 6_2_00946869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00947795 6_2_00947795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00951591 6_2_00951591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094B191 6_2_0094B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095DB87 6_2_0095DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00948D80 6_2_00948D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00944B81 6_2_00944B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00953782 6_2_00953782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094358B 6_2_0094358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095E3B5 6_2_0095E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009443BE 6_2_009443BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009459BF 6_2_009459BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095D7BE 6_2_0095D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009585B8 6_2_009585B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095DDA5 6_2_0095DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00950BA4 6_2_00950BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095E5A7 6_2_0095E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009589A2 6_2_009589A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009475D2 6_2_009475D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009419C0 6_2_009419C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094A3E7 6_2_0094A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095EDED 6_2_0095EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009451EC 6_2_009451EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094CB13 6_2_0094CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00944D1E 6_2_00944D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00953D0C 6_2_00953D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095BF0C 6_2_0095BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095590E 6_2_0095590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095970A 6_2_0095970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095E10A 6_2_0095E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0095CD35 6_2_0095CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094F73B 6_2_0094F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00959124 6_2_00959124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00956540 6_2_00956540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00960370 6_2_00960370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094BD61 6_2_0094BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0094CF6E 6_2_0094CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455EA55 14_2_0455EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04561291 14_2_04561291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04546453 14_2_04546453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454CE5A 14_2_0454CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04557445 14_2_04557445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04553043 14_2_04553043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454AE43 14_2_0454AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454544C 14_2_0454544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454AA4E 14_2_0454AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455B677 14_2_0455B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454387F 14_2_0454387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454FA78 14_2_0454FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454B464 14_2_0454B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454EE60 14_2_0454EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04543A6C 14_2_04543A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04546869 14_2_04546869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0456261E 14_2_0456261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455C205 14_2_0455C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454800A 14_2_0454800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04543432 14_2_04543432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454243F 14_2_0454243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04549824 14_2_04549824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455282D 14_2_0455282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04543228 14_2_04543228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045490D4 14_2_045490D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045528D5 14_2_045528D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045552D1 14_2_045552D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04561CDB 14_2_04561CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045492C1 14_2_045492C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04542CC2 14_2_04542CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045620CE 14_2_045620CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045510CD 14_2_045510CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045562F5 14_2_045562F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04554CF5 14_2_04554CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045484F0 14_2_045484F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045540FE 14_2_045540FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045446FA 14_2_045446FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04541EFB 14_2_04541EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045440E2 14_2_045440E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045556E9 14_2_045556E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454C0EA 14_2_0454C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04550E97 14_2_04550E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455CE90 14_2_0455CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04550A93 14_2_04550A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454FE9D 14_2_0454FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455E899 14_2_0455E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455A29B 14_2_0455A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455009A 14_2_0455009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454A083 14_2_0454A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454F48A 14_2_0454F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04556540 14_2_04556540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04560370 14_2_04560370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454BD61 14_2_0454BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454CF6E 14_2_0454CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454CB13 14_2_0454CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04544D1E 14_2_04544D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04553D0C 14_2_04553D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455BF0C 14_2_0455BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455590E 14_2_0455590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455970A 14_2_0455970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455E10A 14_2_0455E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455CD35 14_2_0455CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454F73B 14_2_0454F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04559124 14_2_04559124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454A92F 14_2_0454A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045475D2 14_2_045475D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045419C0 14_2_045419C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454A3E7 14_2_0454A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455EDED 14_2_0455EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045451EC 14_2_045451EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04547795 14_2_04547795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04551591 14_2_04551591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454B191 14_2_0454B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455DB87 14_2_0455DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04548D80 14_2_04548D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04544B81 14_2_04544B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04553782 14_2_04553782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0454358B 14_2_0454358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455E3B5 14_2_0455E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045443BE 14_2_045443BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045459BF 14_2_045459BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455D7BE 14_2_0455D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045585B8 14_2_045585B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455DDA5 14_2_0455DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04550BA4 14_2_04550BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0455E5A7 14_2_0455E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045589A2 14_2_045589A2
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EA1AC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EA01DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA1AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA01DE0 appears 97 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: 5i3yQOSqTm.dll Virustotal: Detection: 19%
Source: 5i3yQOSqTm.dll ReversingLabs: Detection: 17%
Source: 5i3yQOSqTm.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
Source: unknown Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2360" "2316" "2356" "0" "0" "2352" "0" "0" "0" "0" "0"
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso",qxtrVBTbrIKuSW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pmleysyipg\sjdwpny.iso",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\wermgr.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD33.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winDLL@43/26@0/1
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
Source: C:\Windows\System32\wermgr.exe Mutant created: \BaseNamedObjects\Local\SM0:2016:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4340
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6704:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:3744:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 5i3yQOSqTm.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 5i3yQOSqTm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.551496260.0000000004CE0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551418206.0000000004CDB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551636970.0000000003136000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.551523098.000000000313C000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.551849737.0000000003130000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.553758793.0000000004F71000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.579582842.00000000050F1000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.561663979.0000000002E32000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.574550716.0000000002D8B000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B113E7 push esi; retf 0_2_00B113F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA26A93 push ecx; ret 0_2_6EA26AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA26A93 push ecx; ret 2_2_6EA26AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046D13E7 push esi; retf 3_2_046D13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009413E7 push esi; retf 6_2_009413F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045413E7 push esi; retf 14_2_045413F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6EA0E690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Pmleysyipg\sjdwpny.iso:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4640 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA20927 FindFirstFileExW, 0_2_6EA20927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA20927 FindFirstFileExW, 2_2_6EA20927
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000004.00000002.678237792.000001482C802000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: WerFault.exe, 0000001A.00000002.593843723.0000000004DAB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.592277871.0000000004DAB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.593796820.0000000004D70000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.671610507.000001B060CF0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.671434122.000001B060C68000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.670841279.000001B060C66000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.678490827.000001482C828000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.677844152.00000225C4229000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA20326
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6EA0E690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA01290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 0_2_6EA01290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B207D2 mov eax, dword ptr fs:[00000030h] 0_2_00B207D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA19990 mov eax, dword ptr fs:[00000030h] 0_2_6EA19990
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1EC0B mov ecx, dword ptr fs:[00000030h] 0_2_6EA1EC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA202CC mov eax, dword ptr fs:[00000030h] 0_2_6EA202CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA19920 mov esi, dword ptr fs:[00000030h] 0_2_6EA19920
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA19920 mov eax, dword ptr fs:[00000030h] 0_2_6EA19920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA19990 mov eax, dword ptr fs:[00000030h] 2_2_6EA19990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA1EC0B mov ecx, dword ptr fs:[00000030h] 2_2_6EA1EC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA202CC mov eax, dword ptr fs:[00000030h] 2_2_6EA202CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA19920 mov esi, dword ptr fs:[00000030h] 2_2_6EA19920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA19920 mov eax, dword ptr fs:[00000030h] 2_2_6EA19920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046E07D2 mov eax, dword ptr fs:[00000030h] 3_2_046E07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009507D2 mov eax, dword ptr fs:[00000030h] 6_2_009507D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_045507D2 mov eax, dword ptr fs:[00000030h] 14_2_045507D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00B228D5 LdrInitializeThunk, 0_2_00B228D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6EA1A462
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA20326
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA1AB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6EA1A462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EA20326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EA1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EA1AB0C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4340 -ip 4340 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 316 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.544973056.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.566158477.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.564329433.0000000001550000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.546596729.0000000001550000.00000002.00020000.sdmp, svchost.exe, 00000005.00000002.679513205.000001C803660000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.678697817.0000000003860000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1A584 cpuid 0_2_6EA1A584
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6EA1A755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000014.00000002.678780295.000001E05B03D000.00000004.00000001.sdmp Binary or memory string: $@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000014.00000002.678929916.000001E05B102000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a2148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.8320a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.dd2160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a2148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.4540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.4540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.dd2160.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d83b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d83b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.c62468.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.8320a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.b10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.c62468.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.594385432.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.539875956.00000000046D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.546111377.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.539257826.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.544278858.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.566017355.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.565844645.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.544809627.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.564089777.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.539444017.0000000000940000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.564150952.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.513866249.0000000000BD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.532223099.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.539407249.000000000081A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.661436675.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.594452020.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.546379647.0000000000D7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.543487140.0000000000E70000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.662192713.0000000004540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.544682886.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532299 Sample: 5i3yQOSqTm.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 47 Sigma detected: Emotet RunDLL32 Process Creation 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Emotet 2->51 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 12 2->13         started        15 10 other processes 2->15 process3 signatures4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 WerFault.exe 3 9 8->22         started        29 3 other processes 8->29 53 Changes security center settings (notifications, updates, antivirus, firewall) 10->53 25 WerFault.exe 13->25         started        27 WerFault.exe 13->27         started        process5 dnsIp6 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->45 31 rundll32.exe 17->31         started        33 rundll32.exe 20->33         started        43 192.168.2.1 unknown unknown 22->43 35 rundll32.exe 29->35         started        37 rundll32.exe 29->37         started        signatures7 process8 process9 39 rundll32.exe 31->39         started        41 rundll32.exe 33->41         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1