Windows Analysis Report efELSMI5R4

Overview

General Information

Sample Name: efELSMI5R4 (renamed file extension from none to dll)
Analysis ID: 532312
MD5: 1ec5996508211a8d174a1a09d6289463
SHA1: ede146abf146c0dfdb88431dfecf5cc80b267335
SHA256: 2933137a5e251f44b2e6d2cc919c8a679651a76b900b3b9e2b06edc73b64e5e6
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: efELSMI5R4.dll Virustotal: Detection: 19% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: efELSMI5R4.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: unknown HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: efELSMI5R4.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.582794929.000000000058C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.597098712.0000000000432000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECF0927 FindFirstFileExW, 2_2_6ECF0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECF0927 FindFirstFileExW, 5_2_6ECF0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BE2C8 FindFirstFileW, 26_2_009BE2C8

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.63.5.129 187 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ HTTP/1.1Cookie: BPnBmsPHiG=8D4dsLTWN8wEGAED/TDSscJN6tz6UiW9Sa7p1L1j+sV8peUY3i4h541A7FXE4tOLJPvGODcUqyKdZRdd4eLVMSqHn/QSuYDzDawRyYOBXu6fQpi7mDqtISdNgCJdqllab7kmTC8JkExQ5QdDNiC5RaFQkQmH8lhmwU8xXoXh+j8s7+Z3BdjBH7uOOgjnzk8PadPgkEn5XuuSWvqAvHt+OIGRsSH4rQBUpgvQ1fCY/yKMeukT8WwcUdr5/JoJiNMk/ZsMMpoKYsGTM1YS3andCGr7w3voV5dtu6EWrfS2xnLTBepk11l/Ck/dvR9iQCeMbJwbV/hbshMw7htS0Fv4102otz0kFPNoh61rQXO2VxiWNrBF0xk=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: svchost.exe, 0000001C.00000003.676499557.00000214D4D96000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001C.00000003.676499557.00000214D4D96000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: WerFault.exe, 00000018.00000002.620064823.0000000004C18000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618456915.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618557628.0000000004C17000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618529956.0000000004C14000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.693696632.00000214D4D00000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001C.00000002.693406330.00000214D46EB000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.22.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001C.00000003.672417504.00000214D4D8D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672459141.00000214D4DCE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.672477338.00000214D4DAE000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001C.00000003.673502580.00000214D5202000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673473376.00000214D4D91000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673436832.00000214D4DA8000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.673407994.00000214D4DA8000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A3394 InternetReadFile, 26_2_009A3394
Source: global traffic HTTP traffic detected: GET /fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ HTTP/1.1Cookie: BPnBmsPHiG=8D4dsLTWN8wEGAED/TDSscJN6tz6UiW9Sa7p1L1j+sV8peUY3i4h541A7FXE4tOLJPvGODcUqyKdZRdd4eLVMSqHn/QSuYDzDawRyYOBXu6fQpi7mDqtISdNgCJdqllab7kmTC8JkExQ5QdDNiC5RaFQkQmH8lhmwU8xXoXh+j8s7+Z3BdjBH7uOOgjnzk8PadPgkEn5XuuSWvqAvHt+OIGRsSH4rQBUpgvQ1fCY/yKMeukT8WwcUdr5/JoJiNMk/ZsMMpoKYsGTM1YS3andCGr7w3voV5dtu6EWrfS2xnLTBepk11l/Ck/dvR9iQCeMbJwbV/hbshMw7htS0Fv4102otz0kFPNoh61rQXO2VxiWNrBF0xk=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.3:49815 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.3332418.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.e12148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c920a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.e12148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c920a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.932160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.35a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.rundll32.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.rundll32.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.35a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3332418.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.860000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.932160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.562952810.0000000000DFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.600312961.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.574084916.0000000000C7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.577604622.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.620644706.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.599173428.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.599105151.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.575882015.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.661109523.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.522035243.0000000000785000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.813526904.00000000009A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.600444475.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.568041715.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.765865481.0000000000C4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.660358890.000000000331A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.562904188.0000000000C50000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.534275093.0000000000860000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.566098694.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.562932146.0000000000770000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.563477731.000000000091A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: efELSMI5R4.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01121291 2_2_01121291
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110CB13 2_2_0110CB13
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01104D1E 2_2_01104D1E
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111970A 2_2_0111970A
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111E10A 2_2_0111E10A
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01113D0C 2_2_01113D0C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111BF0C 2_2_0111BF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111590E 2_2_0111590E
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111CD35 2_2_0111CD35
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110F73B 2_2_0110F73B
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01119124 2_2_01119124
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110A92F 2_2_0110A92F
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01116540 2_2_01116540
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01120370 2_2_01120370
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110BD61 2_2_0110BD61
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110CF6E 2_2_0110CF6E
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01111591 2_2_01111591
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110B191 2_2_0110B191
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01107795 2_2_01107795
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01108D80 2_2_01108D80
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01104B81 2_2_01104B81
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01113782 2_2_01113782
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111DB87 2_2_0111DB87
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110358B 2_2_0110358B
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111E3B5 2_2_0111E3B5
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011185B8 2_2_011185B8
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011043BE 2_2_011043BE
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011059BF 2_2_011059BF
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111D7BE 2_2_0111D7BE
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011189A2 2_2_011189A2
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111DDA5 2_2_0111DDA5
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01110BA4 2_2_01110BA4
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111E5A7 2_2_0111E5A7
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011075D2 2_2_011075D2
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011019C0 2_2_011019C0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110A3E7 2_2_0110A3E7
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111EDED 2_2_0111EDED
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011051EC 2_2_011051EC
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0112261E 2_2_0112261E
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111C205 2_2_0111C205
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110800A 2_2_0110800A
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01103432 2_2_01103432
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110243F 2_2_0110243F
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01109824 2_2_01109824
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01103228 2_2_01103228
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111282D 2_2_0111282D
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01106453 2_2_01106453
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111EA55 2_2_0111EA55
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110CE5A 2_2_0110CE5A
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01113043 2_2_01113043
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110AE43 2_2_0110AE43
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01117445 2_2_01117445
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110544C 2_2_0110544C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110AA4E 2_2_0110AA4E
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111B677 2_2_0111B677
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110FA78 2_2_0110FA78
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110387F 2_2_0110387F
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110EE60 2_2_0110EE60
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110B464 2_2_0110B464
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01106869 2_2_01106869
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01103A6C 2_2_01103A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111CE90 2_2_0111CE90
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01110A93 2_2_01110A93
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01110E97 2_2_01110E97
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111E899 2_2_0111E899
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111A29B 2_2_0111A29B
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0111009A 2_2_0111009A
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110FE9D 2_2_0110FE9D
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110A083 2_2_0110A083
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110F48A 2_2_0110F48A
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011152D1 2_2_011152D1
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011090D4 2_2_011090D4
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011128D5 2_2_011128D5
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01121CDB 2_2_01121CDB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011092C1 2_2_011092C1
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01102CC2 2_2_01102CC2
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011220CE 2_2_011220CE
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011110CD 2_2_011110CD
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011084F0 2_2_011084F0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011162F5 2_2_011162F5
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01114CF5 2_2_01114CF5
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011046FA 2_2_011046FA
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01101EFB 2_2_01101EFB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011140FE 2_2_011140FE
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011040E2 2_2_011040E2
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011156E9 2_2_011156E9
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_0110C0EA 2_2_0110C0EA
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD77B4 2_2_6ECD77B4
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD9F10 2_2_6ECD9F10
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD1DE0 2_2_6ECD1DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECDD530 2_2_6ECDD530
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD3A90 2_2_6ECD3A90
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECE0380 2_2_6ECE0380
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEE3A1 2_2_6ECEE3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECE10C0 2_2_6ECE10C0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECDA890 2_2_6ECDA890
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECDE890 2_2_6ECDE890
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD68B0 2_2_6ECD68B0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD6070 2_2_6ECD6070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00881291 5_2_00881291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008820CE 5_2_008820CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086A083 5_2_0086A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086F48A 5_2_0086F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00870E97 5_2_00870E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00870A93 5_2_00870A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087CE90 5_2_0087CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086FE9D 5_2_0086FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087A29B 5_2_0087A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087009A 5_2_0087009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087E899 5_2_0087E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00862CC2 5_2_00862CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008692C1 5_2_008692C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008710CD 5_2_008710CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008690D4 5_2_008690D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008728D5 5_2_008728D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00881CDB 5_2_00881CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008752D1 5_2_008752D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008640E2 5_2_008640E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086C0EA 5_2_0086C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008756E9 5_2_008756E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008762F5 5_2_008762F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00874CF5 5_2_00874CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008684F0 5_2_008684F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008740FE 5_2_008740FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008646FA 5_2_008646FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00861EFB 5_2_00861EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087C205 5_2_0087C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086800A 5_2_0086800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0088261E 5_2_0088261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00869824 5_2_00869824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087282D 5_2_0087282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00863228 5_2_00863228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00863432 5_2_00863432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086243F 5_2_0086243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00877445 5_2_00877445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00873043 5_2_00873043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086AE43 5_2_0086AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086AA4E 5_2_0086AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086544C 5_2_0086544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087EA55 5_2_0087EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00866453 5_2_00866453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086CE5A 5_2_0086CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086B464 5_2_0086B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086EE60 5_2_0086EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00863A6C 5_2_00863A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00866869 5_2_00866869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087B677 5_2_0087B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086387F 5_2_0086387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086FA78 5_2_0086FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087DB87 5_2_0087DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00873782 5_2_00873782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00868D80 5_2_00868D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00864B81 5_2_00864B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086358B 5_2_0086358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00867795 5_2_00867795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00871591 5_2_00871591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086B191 5_2_0086B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087E5A7 5_2_0087E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087DDA5 5_2_0087DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00870BA4 5_2_00870BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008789A2 5_2_008789A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087E3B5 5_2_0087E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008643BE 5_2_008643BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008659BF 5_2_008659BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087D7BE 5_2_0087D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008785B8 5_2_008785B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008619C0 5_2_008619C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008675D2 5_2_008675D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086A3E7 5_2_0086A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087EDED 5_2_0087EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008651EC 5_2_008651EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087590E 5_2_0087590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00873D0C 5_2_00873D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087BF0C 5_2_0087BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087970A 5_2_0087970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087E10A 5_2_0087E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086CB13 5_2_0086CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00864D1E 5_2_00864D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00879124 5_2_00879124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086A92F 5_2_0086A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0087CD35 5_2_0087CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086F73B 5_2_0086F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00876540 5_2_00876540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086BD61 5_2_0086BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0086CF6E 5_2_0086CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00880370 5_2_00880370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECD77B4 5_2_6ECD77B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECD9F10 5_2_6ECD9F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECD1DE0 5_2_6ECD1DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECDD530 5_2_6ECDD530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECD3A90 5_2_6ECD3A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECE0380 5_2_6ECE0380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECEE3A1 5_2_6ECEE3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECE10C0 5_2_6ECE10C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECDA890 5_2_6ECDA890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECDE890 5_2_6ECDE890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECD68B0 5_2_6ECD68B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECD6070 5_2_6ECD6070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078EA55 6_2_0078EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00791291 6_2_00791291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077387F 6_2_0077387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078B677 6_2_0078B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077FA78 6_2_0077FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077B464 6_2_0077B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077EE60 6_2_0077EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00773A6C 6_2_00773A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00776869 6_2_00776869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00776453 6_2_00776453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077CE5A 6_2_0077CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077AE43 6_2_0077AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077AA4E 6_2_0077AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00783043 6_2_00783043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077544C 6_2_0077544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00787445 6_2_00787445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00773432 6_2_00773432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077243F 6_2_0077243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00779824 6_2_00779824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078282D 6_2_0078282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00773228 6_2_00773228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0079261E 6_2_0079261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078C205 6_2_0078C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077800A 6_2_0077800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007840FE 6_2_007840FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007784F0 6_2_007784F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00771EFB 6_2_00771EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007862F5 6_2_007862F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007746FA 6_2_007746FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00784CF5 6_2_00784CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007856E9 6_2_007856E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007740E2 6_2_007740E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077C0EA 6_2_0077C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00791CDB 6_2_00791CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007790D4 6_2_007790D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007852D1 6_2_007852D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007828D5 6_2_007828D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00772CC2 6_2_00772CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007810CD 6_2_007810CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007792C1 6_2_007792C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007920CE 6_2_007920CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078E899 6_2_0078E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078009A 6_2_0078009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078A29B 6_2_0078A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078CE90 6_2_0078CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077FE9D 6_2_0077FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00780A93 6_2_00780A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00780E97 6_2_00780E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077A083 6_2_0077A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077F48A 6_2_0077F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00790370 6_2_00790370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077BD61 6_2_0077BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077CF6E 6_2_0077CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00786540 6_2_00786540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077F73B 6_2_0077F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078CD35 6_2_0078CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00789124 6_2_00789124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077CB13 6_2_0077CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00774D1E 6_2_00774D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078970A 6_2_0078970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078E10A 6_2_0078E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00783D0C 6_2_00783D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078BF0C 6_2_0078BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078590E 6_2_0078590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077A3E7 6_2_0077A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078EDED 6_2_0078EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007751EC 6_2_007751EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007775D2 6_2_007775D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007719C0 6_2_007719C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007885B8 6_2_007885B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078D7BE 6_2_0078D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007759BF 6_2_007759BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007743BE 6_2_007743BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078E3B5 6_2_0078E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007889A2 6_2_007889A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00780BA4 6_2_00780BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078DDA5 6_2_0078DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078E5A7 6_2_0078E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00777795 6_2_00777795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077B191 6_2_0077B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00781591 6_2_00781591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00774B81 6_2_00774B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00778D80 6_2_00778D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00783782 6_2_00783782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0077358B 6_2_0077358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0078DB87 6_2_0078DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BEA55 13_2_035BEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035C1291 13_2_035C1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B6540 13_2_035B6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035C0370 13_2_035C0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035ACF6E 13_2_035ACF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035ABD61 13_2_035ABD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A4D1E 13_2_035A4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035ACB13 13_2_035ACB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B970A 13_2_035B970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BE10A 13_2_035BE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B590E 13_2_035B590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B3D0C 13_2_035B3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BBF0C 13_2_035BBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AF73B 13_2_035AF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BCD35 13_2_035BCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AA92F 13_2_035AA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B9124 13_2_035B9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A75D2 13_2_035A75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A19C0 13_2_035A19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BEDED 13_2_035BEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A51EC 13_2_035A51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AA3E7 13_2_035AA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B1591 13_2_035B1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AB191 13_2_035AB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A7795 13_2_035A7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A358B 13_2_035A358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B3782 13_2_035B3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A8D80 13_2_035A8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A4B81 13_2_035A4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BDB87 13_2_035BDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B85B8 13_2_035B85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A43BE 13_2_035A43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A59BF 13_2_035A59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BD7BE 13_2_035BD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BE3B5 13_2_035BE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B89A2 13_2_035B89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BE5A7 13_2_035BE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BDDA5 13_2_035BDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B0BA4 13_2_035B0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035ACE5A 13_2_035ACE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A6453 13_2_035A6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AAA4E 13_2_035AAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A544C 13_2_035A544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B3043 13_2_035B3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AAE43 13_2_035AAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B7445 13_2_035B7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AFA78 13_2_035AFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A387F 13_2_035A387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BB677 13_2_035BB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A6869 13_2_035A6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A3A6C 13_2_035A3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AEE60 13_2_035AEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AB464 13_2_035AB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035C261E 13_2_035C261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A800A 13_2_035A800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BC205 13_2_035BC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A243F 13_2_035A243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A3432 13_2_035A3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A3228 13_2_035A3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B282D 13_2_035B282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A9824 13_2_035A9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035C1CDB 13_2_035C1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B52D1 13_2_035B52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A90D4 13_2_035A90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B28D5 13_2_035B28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035C20CE 13_2_035C20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B10CD 13_2_035B10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A2CC2 13_2_035A2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A92C1 13_2_035A92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A46FA 13_2_035A46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A1EFB 13_2_035A1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B40FE 13_2_035B40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A84F0 13_2_035A84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B62F5 13_2_035B62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B4CF5 13_2_035B4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AC0EA 13_2_035AC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B56E9 13_2_035B56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A40E2 13_2_035A40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BA29B 13_2_035BA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B009A 13_2_035B009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BE899 13_2_035BE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AFE9D 13_2_035AFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B0A93 13_2_035B0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035BCE90 13_2_035BCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B0E97 13_2_035B0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AF48A 13_2_035AF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035AA083 13_2_035AA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BA29B 26_2_009BA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B009A 26_2_009B009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BCE90 26_2_009BCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009C1291 26_2_009C1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AF48A 26_2_009AF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B28D5 26_2_009B28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009C20CE 26_2_009C20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B10CD 26_2_009B10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A2CC2 26_2_009A2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A9824 26_2_009A9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AAA4E 26_2_009AAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AAE43 26_2_009AAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B7445 26_2_009B7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AEE60 26_2_009AEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B3782 26_2_009B3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A4B81 26_2_009A4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B89A2 26_2_009B89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BEDED 26_2_009BEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B3D0C 26_2_009B3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BBF0C 26_2_009BBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AF73B 26_2_009AF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009C0370 26_2_009C0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009ACF6E 26_2_009ACF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BE899 26_2_009BE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AFE9D 26_2_009AFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B0A93 26_2_009B0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B0E97 26_2_009B0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AA083 26_2_009AA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009C1CDB 26_2_009C1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B52D1 26_2_009B52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A90D4 26_2_009A90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A92C1 26_2_009A92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A46FA 26_2_009A46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A1EFB 26_2_009A1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B40FE 26_2_009B40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A84F0 26_2_009A84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B62F5 26_2_009B62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B4CF5 26_2_009B4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AC0EA 26_2_009AC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B56E9 26_2_009B56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A40E2 26_2_009A40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009C261E 26_2_009C261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A800A 26_2_009A800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BC205 26_2_009BC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A243F 26_2_009A243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A3432 26_2_009A3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A3228 26_2_009A3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B282D 26_2_009B282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009ACE5A 26_2_009ACE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A6453 26_2_009A6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BEA55 26_2_009BEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A544C 26_2_009A544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B3043 26_2_009B3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AFA78 26_2_009AFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A387F 26_2_009A387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BB677 26_2_009BB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A6869 26_2_009A6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A3A6C 26_2_009A3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AB464 26_2_009AB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B1591 26_2_009B1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AB191 26_2_009AB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A7795 26_2_009A7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A358B 26_2_009A358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A8D80 26_2_009A8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BDB87 26_2_009BDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B85B8 26_2_009B85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A43BE 26_2_009A43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A59BF 26_2_009A59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BD7BE 26_2_009BD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BE3B5 26_2_009BE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BE5A7 26_2_009BE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BDDA5 26_2_009BDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B0BA4 26_2_009B0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A75D2 26_2_009A75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A19C0 26_2_009A19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A51EC 26_2_009A51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AA3E7 26_2_009AA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A4D1E 26_2_009A4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009ACB13 26_2_009ACB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B970A 26_2_009B970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BE10A 26_2_009BE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B590E 26_2_009B590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BCD35 26_2_009BCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009AA92F 26_2_009AA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B9124 26_2_009B9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B6540 26_2_009B6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009ABD61 26_2_009ABD61
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6ECD1DE0 appears 97 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6ECEAC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6ECD1DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6ECEAC90 appears 33 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: efELSMI5R4.dll Virustotal: Detection: 19%
Source: efELSMI5R4.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee",NbYKKsmYIJwkXu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bbinmhqtvqxlwm\fxpdqqlt.pee",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2267.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@41/21@0/1
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009C1B99 CreateToolhelp32Snapshot, 26_2_009C1B99
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:204:64:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5604:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6404
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: efELSMI5R4.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: efELSMI5R4.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.582794929.000000000058C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.582894630.0000000000559000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582878740.0000000000559000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.583003342.0000000000553000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582874162.0000000000553000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.590810791.0000000004621000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.608934317.0000000004F51000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.597098712.0000000000432000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.582869667.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.583186515.000000000054D000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604642586.0000000000CAC000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.604322551.0000000000CAC000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011013E7 push esi; retf 2_2_011013F0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECF6A93 push ecx; ret 2_2_6ECF6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008613E7 push esi; retf 5_2_008613F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECF6A93 push ecx; ret 5_2_6ECF6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007713E7 push esi; retf 6_2_007713F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035A13E7 push esi; retf 13_2_035A13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009A13E7 push esi; retf 26_2_009A13F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECDE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 2_2_6ECDE690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bbinmhqtvqxlwm\fxpdqqlt.pee:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4736 Thread sleep time: -90000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECF0927 FindFirstFileExW, 2_2_6ECF0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECF0927 FindFirstFileExW, 5_2_6ECF0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009BE2C8 FindFirstFileW, 26_2_009BE2C8
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.22.dr Binary or memory string: VMware
Source: Amcache.hve.22.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: WerFault.exe, 00000018.00000003.618456915.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.620041748.0000000004C02000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWiK
Source: Amcache.hve.22.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr Binary or memory string: VMware, Inc.
Source: WerFault.exe, 00000018.00000002.620008004.0000000004BD2000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.618494839.0000000004BD2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: svchost.exe, 0000001C.00000002.693021814.00000214D4681000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWpj
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.22.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr Binary or memory string: VMware7,1
Source: Amcache.hve.22.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000018.00000003.618456915.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.620041748.0000000004C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.693041446.00000214D4689000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.693406330.00000214D46EB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.22.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.22.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.22.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000018.00000003.616852484.0000000004BD1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6ECEAB0C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECDE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 2_2_6ECDE690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECD1290 GetMagnificationLensCtxInformation,GetProcessHeap,GetMagnificationLensCtxInformation,HeapAlloc,HeapFree, 2_2_6ECD1290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_011107D2 mov eax, dword ptr fs:[00000030h] 2_2_011107D2
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECE9990 mov eax, dword ptr fs:[00000030h] 2_2_6ECE9990
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEEC0B mov ecx, dword ptr fs:[00000030h] 2_2_6ECEEC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECF02CC mov eax, dword ptr fs:[00000030h] 2_2_6ECF02CC
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECE9920 mov esi, dword ptr fs:[00000030h] 2_2_6ECE9920
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECE9920 mov eax, dword ptr fs:[00000030h] 2_2_6ECE9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_008707D2 mov eax, dword ptr fs:[00000030h] 5_2_008707D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECE9990 mov eax, dword ptr fs:[00000030h] 5_2_6ECE9990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECEEC0B mov ecx, dword ptr fs:[00000030h] 5_2_6ECEEC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECF02CC mov eax, dword ptr fs:[00000030h] 5_2_6ECF02CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECE9920 mov esi, dword ptr fs:[00000030h] 5_2_6ECE9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECE9920 mov eax, dword ptr fs:[00000030h] 5_2_6ECE9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007807D2 mov eax, dword ptr fs:[00000030h] 6_2_007807D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_035B07D2 mov eax, dword ptr fs:[00000030h] 13_2_035B07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_009B07D2 mov eax, dword ptr fs:[00000030h] 26_2_009B07D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_01111591 LdrInitializeThunk, 2_2_01111591
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6ECEA462
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6ECEAB0C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECF0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6ECF0326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECEA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6ECEA462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECEAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6ECEAB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6ECF0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6ECF0326

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.63.5.129 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 6404 -ip 6404 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6404 -ip 6404 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 316 Jump to behavior
Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmp Binary or memory string: Progman
Source: svchost.exe, 00000001.00000002.814657339.00000159B5A60000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.569777163.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.600588969.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.599262292.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000002.00000000.578206765.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.816539313.0000000003450000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEA584 cpuid 2_2_6ECEA584
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6ECEA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6ECEA755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.22.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000000.00000002.813823605.0000020AC5040000.00000004.00000001.sdmp Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000000.00000002.813897976.0000020AC5102000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.3332418.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.e12148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c920a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.e12148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.11e3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c920a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.932160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.35a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.rundll32.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.11e3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.rundll32.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.11e3b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.35a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.loaddll32.exe.1100000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.3332418.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.860000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.932160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.562952810.0000000000DFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.620708124.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.572742527.0000000000C30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.600312961.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.574084916.0000000000C7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.577604622.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.620644706.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.599173428.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.599105151.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.575882015.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.661109523.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.522035243.0000000000785000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.813526904.00000000009A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.600444475.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.568041715.00000000011DC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.765865481.0000000000C4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.660358890.000000000331A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.562904188.0000000000C50000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.534275093.0000000000860000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.566098694.0000000001100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.562932146.0000000000770000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.563477731.000000000091A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532312 Sample: efELSMI5R4 Startdate: 02/12/2021 Architecture: WINDOWS Score: 88 52 Sigma detected: Emotet RunDLL32 Process Creation 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Emotet 2->56 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 3 8 2->13         started        15 5 other processes 2->15 process3 signatures4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        30 3 other processes 8->30 58 Changes security center settings (notifications, updates, antivirus, firewall) 10->58 24 MpCmdRun.exe 1 10->24         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        process5 signatures6 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->50 32 rundll32.exe 17->32         started        34 rundll32.exe 20->34         started        36 rundll32.exe 22->36         started        38 conhost.exe 24->38         started        40 rundll32.exe 30->40         started        process7 process8 42 rundll32.exe 32->42         started        46 rundll32.exe 34->46         started        dnsIp9 48 45.63.5.129, 443, 49815 AS-CHOOPAUS United States 42->48 60 System process connects to network (likely due to code injection or exploit) 42->60 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.63.5.129
 unknown United States
20473 AS-CHOOPAUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://45.63.5.129/fWxVMEvEItuVfHPcFsGHwLkZfscDpKaAeHKyPiJIqQ true
  • Avira URL Cloud: safe
 unknown