Windows Analysis Report 3pO1282Kpx.dll

Overview

General Information

Sample Name: 3pO1282Kpx.dll
Analysis ID: 532438
MD5: 173345845a2a7d0d99c17bdc5445df90
SHA1: 35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
SHA256: 9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 3pO1282Kpx.dll Virustotal: Detection: 23% Perma Link
Source: 3pO1282Kpx.dll ReversingLabs: Detection: 18%

Compliance:

barindex
Uses 32bit PE files
Source: 3pO1282Kpx.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: 3pO1282Kpx.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.650010447.0000000004329000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: a4pjr7pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.659568546.00000000004A2000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_6F250AA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 4_2_6F250AA5
Source: svchost.exe, 0000000A.00000002.744676034.0000020495E61000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689793778.00000000047AB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692147175.00000000047AC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000A.00000002.744484037.0000020495E12000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000002.742753085.00000204906AF000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlso
Source: Amcache.hve.19.dr String found in binary or memory: http://upx.sf.net
Source: WerFault.exe, 00000016.00000003.689793778.00000000047AB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692147175.00000000047AC000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoft.

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.2e221e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.713568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.713568.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e221e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3303590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3303590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.638369835.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634927199.0000000002E0A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.636690720.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.693214956.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.641147134.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.638392292.00000000006FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.663179674.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.662403503.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 3pO1282Kpx.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Tbiyedppjzsf\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01231291 1_2_01231291
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01229124 1_2_01229124
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121A92F 1_2_0121A92F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122CD35 1_2_0122CD35
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121F73B 1_2_0121F73B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122970A 1_2_0122970A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122E10A 1_2_0122E10A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122590E 1_2_0122590E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01223D0C 1_2_01223D0C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122BF0C 1_2_0122BF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121CB13 1_2_0121CB13
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01214D1E 1_2_01214D1E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121BD61 1_2_0121BD61
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121CF6E 1_2_0121CF6E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01230370 1_2_01230370
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01226540 1_2_01226540
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012289A2 1_2_012289A2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122E5A7 1_2_0122E5A7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01220BA4 1_2_01220BA4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122DDA5 1_2_0122DDA5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122E3B5 1_2_0122E3B5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012285B8 1_2_012285B8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122D7BE 1_2_0122D7BE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012159BF 1_2_012159BF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012143BE 1_2_012143BE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01214B81 1_2_01214B81
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01223782 1_2_01223782
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01218D80 1_2_01218D80
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122DB87 1_2_0122DB87
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121358B 1_2_0121358B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121B191 1_2_0121B191
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01221591 1_2_01221591
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01217795 1_2_01217795
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121A3E7 1_2_0121A3E7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012151EC 1_2_012151EC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122EDED 1_2_0122EDED
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012119C0 1_2_012119C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012175D2 1_2_012175D2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01219824 1_2_01219824
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01213228 1_2_01213228
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122282D 1_2_0122282D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01213432 1_2_01213432
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121243F 1_2_0121243F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122C205 1_2_0122C205
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121800A 1_2_0121800A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0123261E 1_2_0123261E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121B464 1_2_0121B464
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01216869 1_2_01216869
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01213A6C 1_2_01213A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122B677 1_2_0122B677
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121FA78 1_2_0121FA78
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121387F 1_2_0121387F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01223043 1_2_01223043
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121AE43 1_2_0121AE43
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01227445 1_2_01227445
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121544C 1_2_0121544C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121AA4E 1_2_0121AA4E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01216453 1_2_01216453
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122EA55 1_2_0122EA55
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121CE5A 1_2_0121CE5A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121A083 1_2_0121A083
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121F48A 1_2_0121F48A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01220A93 1_2_01220A93
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122CE90 1_2_0122CE90
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01220E97 1_2_01220E97
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122009A 1_2_0122009A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122A29B 1_2_0122A29B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0122E899 1_2_0122E899
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121FE9D 1_2_0121FE9D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012140E2 1_2_012140E2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121F0E9 1_2_0121F0E9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0121C0EA 1_2_0121C0EA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012256E9 1_2_012256E9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012184F0 1_2_012184F0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012262F5 1_2_012262F5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01224CF5 1_2_01224CF5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01211EFB 1_2_01211EFB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012146FA 1_2_012146FA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012240FE 1_2_012240FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012192C1 1_2_012192C1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01212CC2 1_2_01212CC2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012320CE 1_2_012320CE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012210CD 1_2_012210CD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012252D1 1_2_012252D1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012190D4 1_2_012190D4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012228D5 1_2_012228D5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_01231CDB 1_2_01231CDB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F239F10 1_2_6F239F10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F2377B4 1_2_6F2377B4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F23D530 1_2_6F23D530
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F231DE0 1_2_6F231DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F24E3A1 1_2_6F24E3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F240380 1_2_6F240380
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F233A90 1_2_6F233A90
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F236070 1_2_6F236070
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F2368B0 1_2_6F2368B0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F23A890 1_2_6F23A890
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F23E890 1_2_6F23E890
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F2410C0 1_2_6F2410C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F239F10 4_2_6F239F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F2377B4 4_2_6F2377B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F23D530 4_2_6F23D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F231DE0 4_2_6F231DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F24E3A1 4_2_6F24E3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F240380 4_2_6F240380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F233A90 4_2_6F233A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F236070 4_2_6F236070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F2368B0 4_2_6F2368B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F23A890 4_2_6F23A890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F23E890 4_2_6F23E890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F2410C0 4_2_6F2410C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BB1291 7_2_00BB1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAEA55 7_2_00BAEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA009A 7_2_00BA009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAA29B 7_2_00BAA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAE899 7_2_00BAE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9FE9D 7_2_00B9FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA0A93 7_2_00BA0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BACE90 7_2_00BACE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA0E97 7_2_00BA0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9F48A 7_2_00B9F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9A083 7_2_00B9A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B91EFB 7_2_00B91EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B946FA 7_2_00B946FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA40FE 7_2_00BA40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B984F0 7_2_00B984F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA62F5 7_2_00BA62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA4CF5 7_2_00BA4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9F0E9 7_2_00B9F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9C0EA 7_2_00B9C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA56E9 7_2_00BA56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B940E2 7_2_00B940E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BB1CDB 7_2_00BB1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA52D1 7_2_00BA52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B990D4 7_2_00B990D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA28D5 7_2_00BA28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BB20CE 7_2_00BB20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA10CD 7_2_00BA10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B992C1 7_2_00B992C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B92CC2 7_2_00B92CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9243F 7_2_00B9243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B93432 7_2_00B93432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B93228 7_2_00B93228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA282D 7_2_00BA282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B99824 7_2_00B99824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BB261E 7_2_00BB261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9800A 7_2_00B9800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAC205 7_2_00BAC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9FA78 7_2_00B9FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9387F 7_2_00B9387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAB677 7_2_00BAB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B96869 7_2_00B96869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B93A6C 7_2_00B93A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9B464 7_2_00B9B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9CE5A 7_2_00B9CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B96453 7_2_00B96453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9544C 7_2_00B9544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9AA4E 7_2_00B9AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA3043 7_2_00BA3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9AE43 7_2_00B9AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA7445 7_2_00BA7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA85B8 7_2_00BA85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAD7BE 7_2_00BAD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B959BF 7_2_00B959BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B943BE 7_2_00B943BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAE3B5 7_2_00BAE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA89A2 7_2_00BA89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAE5A7 7_2_00BAE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA0BA4 7_2_00BA0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BADDA5 7_2_00BADDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9B191 7_2_00B9B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA1591 7_2_00BA1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B97795 7_2_00B97795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9358B 7_2_00B9358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B94B81 7_2_00B94B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA3782 7_2_00BA3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B98D80 7_2_00B98D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BADB87 7_2_00BADB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B951EC 7_2_00B951EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAEDED 7_2_00BAEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9A3E7 7_2_00B9A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B975D2 7_2_00B975D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B919C0 7_2_00B919C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9F73B 7_2_00B9F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BACD35 7_2_00BACD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9A92F 7_2_00B9A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA9124 7_2_00BA9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B94D1E 7_2_00B94D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9CB13 7_2_00B9CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA970A 7_2_00BA970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BAE10A 7_2_00BAE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA590E 7_2_00BA590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA3D0C 7_2_00BA3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BABF0C 7_2_00BABF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BB0370 7_2_00BB0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9CF6E 7_2_00B9CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B9BD61 7_2_00B9BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA6540 7_2_00BA6540
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6F24AC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6F231DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6F24AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6F231DE0 appears 97 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: 3pO1282Kpx.dll Virustotal: Detection: 23%
Source: 3pO1282Kpx.dll ReversingLabs: Detection: 18%
Source: 3pO1282Kpx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt",WgszfYRBINQe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt",WgszfYRBINQe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A6E.tmp Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winDLL@34/18@0/1
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6800:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6936:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6544
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 3pO1282Kpx.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 3pO1282Kpx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.650010447.0000000004329000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: a4pjr7pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.659568546.00000000004A2000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012113E7 push esi; retf 1_2_012113F0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F256A93 push ecx; ret 1_2_6F256AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F256A93 push ecx; ret 4_2_6F256AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00B913E7 push esi; retf 7_2_00B913F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F23E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 1_2_6F23E690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6960 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_6F250AA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 4_2_6F250AA5
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.19.dr Binary or memory string: VMware
Source: Amcache.hve.19.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.19.dr Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.19.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual USB Mouse
Source: WerFault.exe, 00000016.00000003.684751731.0000000004764000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr Binary or memory string: VMware7,1
Source: Amcache.hve.19.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 0000000A.00000002.744653763.0000020495E54000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689833815.0000000004765000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692036428.0000000004765000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692127501.00000000047A2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.me
Source: svchost.exe, 0000000A.00000002.741934037.0000020490629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW=
Source: svchost.exe, 0000000A.00000002.744676034.0000020495E61000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAWal\BFE_Notify_Event_{58328348-e77b-4df9-863b-dd539c6cd7d7}LMEM
Source: WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692127501.00000000047A2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW_
Source: Amcache.hve.19.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F250326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6F250326
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F23E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 1_2_6F23E690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F231290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 1_2_6F231290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012207D2 mov eax, dword ptr fs:[00000030h] 1_2_012207D2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F249990 mov eax, dword ptr fs:[00000030h] 1_2_6F249990
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F24EC0B mov ecx, dword ptr fs:[00000030h] 1_2_6F24EC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F2502CC mov eax, dword ptr fs:[00000030h] 1_2_6F2502CC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F249920 mov esi, dword ptr fs:[00000030h] 1_2_6F249920
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F249920 mov eax, dword ptr fs:[00000030h] 1_2_6F249920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F249990 mov eax, dword ptr fs:[00000030h] 4_2_6F249990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F24EC0B mov ecx, dword ptr fs:[00000030h] 4_2_6F24EC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F2502CC mov eax, dword ptr fs:[00000030h] 4_2_6F2502CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F249920 mov esi, dword ptr fs:[00000030h] 4_2_6F249920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F249920 mov eax, dword ptr fs:[00000030h] 4_2_6F249920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00BA07D2 mov eax, dword ptr fs:[00000030h] 7_2_00BA07D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_012289A2 LdrInitializeThunk, 1_2_012289A2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F24A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6F24A462
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F250326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6F250326
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F24AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6F24AB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F24A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6F24A462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F250326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6F250326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6F24AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6F24AB0C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332 Jump to behavior
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F24A584 cpuid 1_2_6F24A584
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6F24A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6F24A755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.19.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.2e221e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.713568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.713568.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e221e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3303590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1210000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3303590.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.1333540.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.638369835.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634927199.0000000002E0A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.636690720.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.693214956.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.641147134.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.638392292.00000000006FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.663179674.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.662403503.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532438 Sample: 3pO1282Kpx.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 68 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Emotet 2->46 8 loaddll32.exe 1 2->8         started        10 svchost.exe 3 8 2->10         started        12 svchost.exe 9 1 2->12         started        15 3 other processes 2->15 process3 dnsIp4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        28 3 other processes 8->28 24 WerFault.exe 10->24         started        26 WerFault.exe 10->26         started        40 127.0.0.1 unknown unknown 12->40 process5 signatures6 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->42 30 rundll32.exe 17->30         started        32 rundll32.exe 20->32         started        34 rundll32.exe 22->34         started        36 rundll32.exe 28->36         started        process7 process8 38 rundll32.exe 32->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
127.0.0.1