Windows Analysis Report nhlHEF5IVY.dll

Overview

General Information

Sample Name: nhlHEF5IVY.dll
Analysis ID: 532437
MD5: 222719bd9555a8f48428737ab34a6fa6
SHA1: b56136e6d1460055917dcb74ed849c59b35300c0
SHA256: 81823e821dae4e623a5f11ccbed6e628443301afd92c0ab25e19d847927f5318
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for submitted file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Deletes files inside the Windows folder
Drops PE files to the windows directory (C:\Windows)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: nhlHEF5IVY.dll Virustotal: Detection: 21% Perma Link
Source: nhlHEF5IVY.dll ReversingLabs: Detection: 18%

Compliance:

barindex
Uses 32bit PE files
Source: nhlHEF5IVY.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: nhlHEF5IVY.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952942912.0000000000BA2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952718698.00000000010F7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953141393.0000000000BA2000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.952949030.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953289647.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953145712.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.952949030.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953289647.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953145712.0000000000BA8000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953383298.0000000000B9C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952935685.0000000000B9C000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.952942912.0000000000BA2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953141393.0000000000BA2000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.961082404.00000000004D2000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.953383298.0000000000B9C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952935685.0000000000B9C000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C0927 FindFirstFileExW, 0_2_6E4C0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4C0927 FindFirstFileExW, 2_2_6E4C0927
Source: WerFault.exe, 0000000E.00000003.990205890.0000000001164000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.990231271.0000000001174000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.992030665.0000000001175000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.12.dr String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32c2240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.9434a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3753718.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3753718.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.5d3908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.31a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32c2240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.5d3908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3732240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3732240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.9434a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.970291608.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.993619798.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.946676422.0000000000E30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.948659088.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.947178520.00000000032AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.969710134.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1048939362.000000000373A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.946359714.00000000031A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.930138580.0000000000750000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.946894712.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.946802756.000000000371A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.948115797.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.899666067.0000000000B2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.969859357.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.970456137.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1048437033.0000000003400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.993327606.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.946627209.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.936268035.000000000092A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933922652.00000000008E0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: nhlHEF5IVY.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4612 -ip 4612
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Rxalrmpxe\bkor.jtg:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Rxalrmpxe\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001E1291 0_2_001E1291
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001E261E 0_2_001E261E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C800A 0_2_001C800A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DC205 0_2_001DC205
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C243F 0_2_001C243F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C3432 0_2_001C3432
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D282D 0_2_001D282D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C3228 0_2_001C3228
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C9824 0_2_001C9824
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CCE5A 0_2_001CCE5A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DEA55 0_2_001DEA55
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C6453 0_2_001C6453
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C544C 0_2_001C544C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CAA4E 0_2_001CAA4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D7445 0_2_001D7445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D3043 0_2_001D3043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CAE43 0_2_001CAE43
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C387F 0_2_001C387F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CFA78 0_2_001CFA78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DB677 0_2_001DB677
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C3A6C 0_2_001C3A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C6869 0_2_001C6869
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CB464 0_2_001CB464
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CEE60 0_2_001CEE60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CFE9D 0_2_001CFE9D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DE899 0_2_001DE899
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DA29B 0_2_001DA29B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D009A 0_2_001D009A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D0E97 0_2_001D0E97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DCE90 0_2_001DCE90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D0A93 0_2_001D0A93
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CF48A 0_2_001CF48A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CA083 0_2_001CA083
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001E1CDB 0_2_001E1CDB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C90D4 0_2_001C90D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D28D5 0_2_001D28D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D52D1 0_2_001D52D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001E20CE 0_2_001E20CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D10CD 0_2_001D10CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C92C1 0_2_001C92C1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C2CC2 0_2_001C2CC2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D40FE 0_2_001D40FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C46FA 0_2_001C46FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C1EFB 0_2_001C1EFB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D62F5 0_2_001D62F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D4CF5 0_2_001D4CF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C84F0 0_2_001C84F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D56E9 0_2_001D56E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CC0EA 0_2_001CC0EA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C4D1E 0_2_001C4D1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CCB13 0_2_001CCB13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D3D0C 0_2_001D3D0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DBF0C 0_2_001DBF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D590E 0_2_001D590E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D970A 0_2_001D970A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DE10A 0_2_001DE10A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CF73B 0_2_001CF73B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DCD35 0_2_001DCD35
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CA92F 0_2_001CA92F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D9124 0_2_001D9124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D6540 0_2_001D6540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001E0370 0_2_001E0370
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CCF6E 0_2_001CCF6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CBD61 0_2_001CBD61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C7795 0_2_001C7795
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D1591 0_2_001D1591
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CB191 0_2_001CB191
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C358B 0_2_001C358B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DDB87 0_2_001DDB87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C8D80 0_2_001C8D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C4B81 0_2_001C4B81
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D3782 0_2_001D3782
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C43BE 0_2_001C43BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C59BF 0_2_001C59BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DD7BE 0_2_001DD7BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D85B8 0_2_001D85B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DE3B5 0_2_001DE3B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DDDA5 0_2_001DDDA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D0BA4 0_2_001D0BA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DE5A7 0_2_001DE5A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D89A2 0_2_001D89A2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C75D2 0_2_001C75D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C19C0 0_2_001C19C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DEDED 0_2_001DEDED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C51EC 0_2_001C51EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CA3E7 0_2_001CA3E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A9F10 0_2_6E4A9F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A77B4 0_2_6E4A77B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4AD530 0_2_6E4AD530
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A1DE0 0_2_6E4A1DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A3A90 0_2_6E4A3A90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B0380 0_2_6E4B0380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BE3A1 0_2_6E4BE3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A6070 0_2_6E4A6070
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B10C0 0_2_6E4B10C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4AA890 0_2_6E4AA890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4AE890 0_2_6E4AE890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A68B0 0_2_6E4A68B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4A9F10 2_2_6E4A9F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4A77B4 2_2_6E4A77B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4AD530 2_2_6E4AD530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4A1DE0 2_2_6E4A1DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4A3A90 2_2_6E4A3A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4B0380 2_2_6E4B0380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4BE3A1 2_2_6E4BE3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4A6070 2_2_6E4A6070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4B10C0 2_2_6E4B10C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4AA890 2_2_6E4AA890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4AE890 2_2_6E4AE890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4A68B0 2_2_6E4A68B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BEA55 4_2_031BEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031C1291 4_2_031C1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A4D1E 4_2_031A4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031ACB13 4_2_031ACB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B970A 4_2_031B970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BE10A 4_2_031BE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B590E 4_2_031B590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B3D0C 4_2_031B3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BBF0C 4_2_031BBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AF73B 4_2_031AF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BCD35 4_2_031BCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AA92F 4_2_031AA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B9124 4_2_031B9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B6540 4_2_031B6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031C0370 4_2_031C0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031ACF6E 4_2_031ACF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031ABD61 4_2_031ABD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B1591 4_2_031B1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AB191 4_2_031AB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A7795 4_2_031A7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A358B 4_2_031A358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B3782 4_2_031B3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A8D80 4_2_031A8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A4B81 4_2_031A4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BDB87 4_2_031BDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B85B8 4_2_031B85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A43BE 4_2_031A43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A59BF 4_2_031A59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BD7BE 4_2_031BD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BE3B5 4_2_031BE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B89A2 4_2_031B89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BE5A7 4_2_031BE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BDDA5 4_2_031BDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B0BA4 4_2_031B0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A75D2 4_2_031A75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A19C0 4_2_031A19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BEDED 4_2_031BEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A51EC 4_2_031A51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AA3E7 4_2_031AA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031C261E 4_2_031C261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A800A 4_2_031A800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BC205 4_2_031BC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A243F 4_2_031A243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A3432 4_2_031A3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A3228 4_2_031A3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B282D 4_2_031B282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A9824 4_2_031A9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031ACE5A 4_2_031ACE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A6453 4_2_031A6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AAA4E 4_2_031AAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A544C 4_2_031A544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B3043 4_2_031B3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AAE43 4_2_031AAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B7445 4_2_031B7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AFA78 4_2_031AFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A387F 4_2_031A387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BB677 4_2_031BB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A6869 4_2_031A6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A3A6C 4_2_031A3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AEE60 4_2_031AEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AB464 4_2_031AB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BA29B 4_2_031BA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B009A 4_2_031B009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BE899 4_2_031BE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AFE9D 4_2_031AFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B0A93 4_2_031B0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031BCE90 4_2_031BCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B0E97 4_2_031B0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AF48A 4_2_031AF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AA083 4_2_031AA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031C1CDB 4_2_031C1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B52D1 4_2_031B52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A90D4 4_2_031A90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B28D5 4_2_031B28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031C20CE 4_2_031C20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B10CD 4_2_031B10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A2CC2 4_2_031A2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A92C1 4_2_031A92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A46FA 4_2_031A46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A1EFB 4_2_031A1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B40FE 4_2_031B40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A84F0 4_2_031A84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B62F5 4_2_031B62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B4CF5 4_2_031B4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031AC0EA 4_2_031AC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B56E9 4_2_031B56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341EA55 6_2_0341EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03421291 6_2_03421291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03416540 6_2_03416540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340BD61 6_2_0340BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340CF6E 6_2_0340CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03420370 6_2_03420370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341970A 6_2_0341970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341E10A 6_2_0341E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03413D0C 6_2_03413D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341BF0C 6_2_0341BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341590E 6_2_0341590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340CB13 6_2_0340CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03404D1E 6_2_03404D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03419124 6_2_03419124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340A92F 6_2_0340A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341CD35 6_2_0341CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340F73B 6_2_0340F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034019C0 6_2_034019C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034075D2 6_2_034075D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340A3E7 6_2_0340A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341EDED 6_2_0341EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034051EC 6_2_034051EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03408D80 6_2_03408D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03404B81 6_2_03404B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03413782 6_2_03413782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341DB87 6_2_0341DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340358B 6_2_0340358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03411591 6_2_03411591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340B191 6_2_0340B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03407795 6_2_03407795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034189A2 6_2_034189A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341DDA5 6_2_0341DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03410BA4 6_2_03410BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341E5A7 6_2_0341E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341E3B5 6_2_0341E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034185B8 6_2_034185B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034043BE 6_2_034043BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034059BF 6_2_034059BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341D7BE 6_2_0341D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03413043 6_2_03413043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340AE43 6_2_0340AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03417445 6_2_03417445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340544C 6_2_0340544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340AA4E 6_2_0340AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03406453 6_2_03406453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340CE5A 6_2_0340CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340EE60 6_2_0340EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340B464 6_2_0340B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03406869 6_2_03406869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03403A6C 6_2_03403A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341B677 6_2_0341B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340FA78 6_2_0340FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340387F 6_2_0340387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341C205 6_2_0341C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340800A 6_2_0340800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0342261E 6_2_0342261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03409824 6_2_03409824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03403228 6_2_03403228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341282D 6_2_0341282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03403432 6_2_03403432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340243F 6_2_0340243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034092C1 6_2_034092C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03402CC2 6_2_03402CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034220CE 6_2_034220CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034110CD 6_2_034110CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034152D1 6_2_034152D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034090D4 6_2_034090D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034128D5 6_2_034128D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03421CDB 6_2_03421CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034156E9 6_2_034156E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340C0EA 6_2_0340C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034084F0 6_2_034084F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034162F5 6_2_034162F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03414CF5 6_2_03414CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034046FA 6_2_034046FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03401EFB 6_2_03401EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034140FE 6_2_034140FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340A083 6_2_0340A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340F48A 6_2_0340F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341CE90 6_2_0341CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03410A93 6_2_03410A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03410E97 6_2_03410E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341E899 6_2_0341E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341A29B 6_2_0341A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0341009A 6_2_0341009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0340FE9D 6_2_0340FE9D
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E4BAC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E4A1DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E4BAC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E4A1DE0 appears 97 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: nhlHEF5IVY.dll Virustotal: Detection: 21%
Source: nhlHEF5IVY.dll ReversingLabs: Detection: 18%
Source: nhlHEF5IVY.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Rxalrmpxe\bkor.jtg",APfz
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4612 -ip 4612
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 304
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4612 -ip 4612
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 336
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Rxalrmpxe\bkor.jtg",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Rxalrmpxe\bkor.jtg",APfz Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Rxalrmpxe\bkor.jtg",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4612 -ip 4612 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 304 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4612 -ip 4612 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 336 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:1664:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5916:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4612
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9086.tmp Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winDLL@32/14@0/0
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: nhlHEF5IVY.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: nhlHEF5IVY.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952942912.0000000000BA2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952718698.00000000010F7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953141393.0000000000BA2000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.952949030.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953289647.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953145712.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.952949030.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953289647.0000000000BA8000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953145712.0000000000BA8000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953383298.0000000000B9C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952935685.0000000000B9C000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.952942912.0000000000BA2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.953141393.0000000000BA2000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.961082404.00000000004D2000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.955080145.0000000004971000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.978011043.0000000004CF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.953383298.0000000000B9C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.952935685.0000000000B9C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001C13E7 push esi; retf 0_2_001C13F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C6A93 push ecx; ret 0_2_6E4C6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4C6A93 push ecx; ret 2_2_6E4C6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031A13E7 push esi; retf 4_2_031A13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034013E7 push esi; retf 6_2_034013F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E4AE690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Rxalrmpxe\bkor.jtg Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Rxalrmpxe\bkor.jtg:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C0927 FindFirstFileExW, 0_2_6E4C0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4C0927 FindFirstFileExW, 2_2_6E4C0927
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.12.dr Binary or memory string: VMware
Source: Amcache.hve.12.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.12.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr Binary or memory string: VMware7,1
Source: Amcache.hve.12.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000E.00000003.990205890.0000000001164000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.992000336.0000000001164000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.991697081.0000000000B88000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.12.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4BAB0C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D07D2 mov eax, dword ptr fs:[00000030h] 0_2_001D07D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B9990 mov eax, dword ptr fs:[00000030h] 0_2_6E4B9990
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BEC0B mov ecx, dword ptr fs:[00000030h] 0_2_6E4BEC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C02CC mov eax, dword ptr fs:[00000030h] 0_2_6E4C02CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B9920 mov esi, dword ptr fs:[00000030h] 0_2_6E4B9920
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B9920 mov eax, dword ptr fs:[00000030h] 0_2_6E4B9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4B9990 mov eax, dword ptr fs:[00000030h] 2_2_6E4B9990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4BEC0B mov ecx, dword ptr fs:[00000030h] 2_2_6E4BEC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4C02CC mov eax, dword ptr fs:[00000030h] 2_2_6E4C02CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4B9920 mov esi, dword ptr fs:[00000030h] 2_2_6E4B9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4B9920 mov eax, dword ptr fs:[00000030h] 2_2_6E4B9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031B07D2 mov eax, dword ptr fs:[00000030h] 4_2_031B07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_034107D2 mov eax, dword ptr fs:[00000030h] 6_2_034107D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E4AE690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4A1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 0_2_6E4A1290
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001CFA78 LdrInitializeThunk, 0_2_001CFA78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4BA462
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4BAB0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4C0326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E4BA462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E4BAB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E4C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E4C0326

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4612 -ip 4612 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 304 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4612 -ip 4612 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 336 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.948854020.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.947064309.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.969913878.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.970507321.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.1064077751.0000000003460000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.948854020.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.947064309.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.969913878.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.970507321.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.1064077751.0000000003460000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.948854020.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.947064309.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.969913878.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.970507321.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.1064077751.0000000003460000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.948854020.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.947064309.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.969913878.00000000013C0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.970507321.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.1064077751.0000000003460000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BA584 cpuid 0_2_6E4BA584
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E4BA755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.12.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32c2240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.9434a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3753718.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3753718.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.5d3908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.31a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32c2240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.5d3908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3732240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.5d3908.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3732240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.9434a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.970291608.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.993619798.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.946676422.0000000000E30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.948659088.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.947178520.00000000032AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.969710134.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1048939362.000000000373A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.946359714.00000000031A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.930138580.0000000000750000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.946894712.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.946802756.000000000371A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.948115797.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.899666067.0000000000B2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.969859357.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.970456137.00000000005BB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1048437033.0000000003400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.993327606.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.946627209.00000000001C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.936268035.000000000092A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933922652.00000000008E0000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532437 Sample: nhlHEF5IVY.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 76 37 Sigma detected: Emotet RunDLL32 Process Creation 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Emotet 2->41 8 loaddll32.exe 1 2->8         started        10 svchost.exe 3 8 2->10         started        process3 process4 12 rundll32.exe 2 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        23 3 other processes 8->23 19 WerFault.exe 10->19         started        21 WerFault.exe 10->21         started        signatures5 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->43 25 rundll32.exe 12->25         started        27 rundll32.exe 15->27         started        29 rundll32.exe 17->29         started        31 rundll32.exe 23->31         started        process6 process7 33 rundll32.exe 25->33         started        35 rundll32.exe 27->35         started       
No contacted IP infos