Windows Analysis Report aoPHg7b78c

Overview

General Information

Sample Name: aoPHg7b78c (renamed file extension from none to dll)
Analysis ID: 553144
MD5: 142b439bbfee0b501b2c25ac46f383c4
SHA1: 711a48cd51c5ff6a638913b4d4fa64ae7ae85530
SHA256: 23050d77ca088359fb1d6c3a5b201c56a55bf5be9137a6d69bca91f5b2cafbda
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.4c10000.4.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: aoPHg7b78c.dll Virustotal: Detection: 32% Perma Link
Machine Learning detection for sample
Source: aoPHg7b78c.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: aoPHg7b78c.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49778 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49779 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49779 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000011.00000003.781287560.000001AAEFB9D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000011.00000003.781287560.000001AAEFB9D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmp String found in binary or memory: ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"s
Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmp String found in binary or memory: ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"s
Source: svchost.exe, 00000011.00000002.796358525.000001AAEF2E1000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000008.00000003.703009687.0000000004D87000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c247070c01707
Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.778025380.000001AAEFB84000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.778051939.000001AAEFB95000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.778223427.000001AAEFBA6000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.778203433.000001AAEFB84000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100012D0 recvfrom, 2_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1000FF59

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.4ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b90000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4bc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b50000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.44e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5030000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.46b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5030000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3f10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.47c0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4950000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4610000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5060000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4cd0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a70000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fc0000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e30000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cf0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.46b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ff0000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2490000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4da0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4dd0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e00000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e90000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.46e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.44e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5050000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4570000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cc0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fc0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4920000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.48f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d70000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.48f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ff0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b50000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4790000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5020000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3f10000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4790000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.31a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5020000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4980000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4950000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.31e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4040000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4dd0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ef0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.674927662.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182814824.00000000046B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183507223.0000000004B91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673514281.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673381986.0000000004CD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182936504.0000000004790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707714646.0000000005030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673427054.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707287377.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673320480.0000000004BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183112562.0000000004921000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1184000383.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183164104.0000000004950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183211680.0000000004981000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183307427.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707424390.0000000004C41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674824431.0000000004990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183880919.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673478838.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665896517.00000000031E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707256465.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673357301.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707551500.0000000004DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707756547.0000000005061000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182632481.0000000004041000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707068961.0000000004611000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183963259.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182978505.00000000047C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707620059.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707581803.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183573378.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707389836.0000000004C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183810438.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183445171.0000000004B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673451267.0000000004E31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.668518477.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182189542.0000000002491000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669060982.0000000000E31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.672752369.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183605393.0000000004CF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.706952271.00000000044E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182513968.0000000003F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665871488.00000000031A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1184046828.0000000005020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182867588.00000000046E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673000186.0000000004571000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1184090856.0000000005051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183271140.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673283012.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673604442.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707509092.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673557883.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182155404.0000000002460000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183059025.00000000048F0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: aoPHg7b78c.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Gmpumh\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10020011 2_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100181CA 2_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001929D 2_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002542D 2_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100274AE 2_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10026575 2_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001869D 2_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10016860 2_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100118C0 2_2_100118C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011916 2_2_10011916
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002596F 2_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022A5C 2_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018A71 2_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001AAB7 2_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001CB16 2_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018E7D 2_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10025EB1 2_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020011 3_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100181CA 3_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001929D 3_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002542D 3_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100274AE 3_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10026575 3_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001869D 3_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001178A 3_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016860 3_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002596F 3_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022A5C 3_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018A71 3_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001AAB7 3_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CB16 3_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018E7D 3_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10025EB1 3_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001178A 4_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462654A 4_2_0462654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462AD08 4_2_0462AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046285FF 4_2_046285FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461C5D8 4_2_0461C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461DE74 4_2_0461DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04618636 4_2_04618636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462FF58 4_2_0462FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461670B 4_2_0461670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462EFDD 4_2_0462EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046317BD 4_2_046317BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04632009 4_2_04632009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04622142 4_2_04622142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462E955 4_2_0462E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04624A66 4_2_04624A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462B257 4_2_0462B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04627A0F 4_2_04627A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462DC71 4_2_0462DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462A474 4_2_0462A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04617442 4_2_04617442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461A445 4_2_0461A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04613431 4_2_04613431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462E4E5 4_2_0462E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462CCD9 4_2_0462CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04611CA1 4_2_04611CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04632D53 4_2_04632D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04627D5B 4_2_04627D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04628D3D 4_2_04628D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04625515 4_2_04625515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04629DF5 4_2_04629DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046155FF 4_2_046155FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462C5D5 4_2_0462C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04623D85 4_2_04623D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04617E79 4_2_04617E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462567B 4_2_0462567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461E640 4_2_0461E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04622E5D 4_2_04622E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04633EE9 4_2_04633EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462BEFD 4_2_0462BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04623EAA 4_2_04623EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046336AA 4_2_046336AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461C6B8 4_2_0461C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04620EBC 4_2_04620EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046346BD 4_2_046346BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04624F74 4_2_04624F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04629774 4_2_04629774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04625779 4_2_04625779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04611F38 4_2_04611F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461EF0C 4_2_0461EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046267E6 4_2_046267E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046207F4 4_2_046207F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046227F9 4_2_046227F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461E7DE 4_2_0461E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046177A3 4_2_046177A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046307AA 4_2_046307AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04628FAE 4_2_04628FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046157B8 4_2_046157B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461BFBE 4_2_0461BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04620F86 4_2_04620F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461A871 4_2_0461A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04617078 4_2_04617078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462F840 4_2_0462F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461B820 4_2_0461B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04628806 4_2_04628806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461F0E9 4_2_0461F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046300EF 4_2_046300EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_046180C0 4_2_046180C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462D8DB 4_2_0462D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462017B 4_2_0462017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461D14C 4_2_0461D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462E1F8 4_2_0462E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462D1BC 4_2_0462D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04626187 4_2_04626187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04612194 4_2_04612194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04633263 4_2_04633263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04630A64 4_2_04630A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04624244 4_2_04624244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04629A01 4_2_04629A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462CAD5 4_2_0462CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462A2A5 4_2_0462A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461BAA9 4_2_0461BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04620ABA 4_2_04620ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461F369 4_2_0461F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462437A 4_2_0462437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04616B7A 4_2_04616B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04625333 4_2_04625333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04632B09 4_2_04632B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04614BFC 4_2_04614BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0462FBDE 4_2_0462FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461238C 4_2_0461238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461FB8E 4_2_0461FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457A445 6_2_0457A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457DE74 6_2_0457DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04584A66 6_2_04584A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04592009 6_2_04592009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04587A0F 6_2_04587A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04578636 6_2_04578636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458FF58 6_2_0458FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458654A 6_2_0458654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04582142 6_2_04582142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458AD08 6_2_0458AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457670B 6_2_0457670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458EFDD 6_2_0458EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457C5D8 6_2_0457C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04582E5D 6_2_04582E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458B257 6_2_0458B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04577442 6_2_04577442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457E640 6_2_0457E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458F840 6_2_0458F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04584244 6_2_04584244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458567B 6_2_0458567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457A871 6_2_0457A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458DC71 6_2_0458DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458A474 6_2_0458A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04577E79 6_2_04577E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04577078 6_2_04577078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04593263 6_2_04593263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04590A64 6_2_04590A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04589A01 6_2_04589A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04588806 6_2_04588806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04573431 6_2_04573431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457B820 6_2_0457B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458CCD9 6_2_0458CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458D8DB 6_2_0458D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458CAD5 6_2_0458CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045780C0 6_2_045780C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458BEFD 6_2_0458BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04593EE9 6_2_04593EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045900EF 6_2_045900EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458E4E5 6_2_0458E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457F0E9 6_2_0457F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04580ABA 6_2_04580ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045946BD 6_2_045946BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04580EBC 6_2_04580EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457C6B8 6_2_0457C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04583EAA 6_2_04583EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045936AA 6_2_045936AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04571CA1 6_2_04571CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458A2A5 6_2_0458A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457BAA9 6_2_0457BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04587D5B 6_2_04587D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04592D53 6_2_04592D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458E955 6_2_0458E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457D14C 6_2_0457D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04585779 6_2_04585779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458437A 6_2_0458437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458017B 6_2_0458017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04584F74 6_2_04584F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04589774 6_2_04589774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04576B7A 6_2_04576B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457F369 6_2_0457F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04585515 6_2_04585515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04592B09 6_2_04592B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457EF0C 6_2_0457EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04588D3D 6_2_04588D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04585333 6_2_04585333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04571F38 6_2_04571F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458FBDE 6_2_0458FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457E7DE 6_2_0457E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458C5D5 6_2_0458C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458E1F8 6_2_0458E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045827F9 6_2_045827F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045885FF 6_2_045885FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045755FF 6_2_045755FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04574BFC 6_2_04574BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045807F4 6_2_045807F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04589DF5 6_2_04589DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045867E6 6_2_045867E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04572194 6_2_04572194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457FB8E 6_2_0457FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457238C 6_2_0457238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04583D85 6_2_04583D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04580F86 6_2_04580F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04586187 6_2_04586187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0458D1BC 6_2_0458D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045917BD 6_2_045917BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457BFBE 6_2_0457BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045757B8 6_2_045757B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045907AA 6_2_045907AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_045777A3 6_2_045777A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04588FAE 6_2_04588FAE
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10017BC1 appears 66 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017BC1 appears 136 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1000D5EC appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001984C appears 48 times
Sample file is different than original file name gathered from version info
Source: aoPHg7b78c.dll Binary or memory string: OriginalFilenameUDPTool.EXE: vs aoPHg7b78c.dll
PE file contains strange resources
Source: aoPHg7b78c.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: aoPHg7b78c.dll Virustotal: Detection: 32%
Source: aoPHg7b78c.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aoPHg7b78c.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aoPHg7b78c.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai",AdUu
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gmpumh\aylxdwzwghrxhxt.vai",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aoPHg7b78c.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aoPHg7b78c.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai",AdUu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gmpumh\aylxdwzwghrxhxt.vai",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@21/2@0/27
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource, 2_2_100126F9
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: aoPHg7b78c.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aoPHg7b78c.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aoPHg7b78c.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aoPHg7b78c.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aoPHg7b78c.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10019891 push ecx; ret 2_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10017C60 push ecx; ret 2_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019891 push ecx; ret 3_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10017C60 push ecx; ret 3_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10017C60 push ecx; ret 4_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04611195 push cs; iretd 4_2_04611197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04571195 push cs; iretd 6_2_04571197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
PE file contains an invalid checksum
Source: aoPHg7b78c.dll Static PE information: real checksum: 0x66354 should be: 0x756f1
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aoPHg7b78c.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Iekqikfbkhlcqwq\ruelmpgbkke.xkn:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_10008B90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6572 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000011.00000002.796358525.000001AAEF2E1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.796266635.000001AAEF280000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0461F7F7 mov eax, dword ptr fs:[00000030h] 4_2_0461F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0457F7F7 mov eax, dword ptr fs:[00000030h] 6_2_0457F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 2_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 2_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 3_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 3_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1 Jump to behavior
Source: rundll32.exe, 00000008.00000002.1182457578.0000000002B00000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000008.00000002.1182457578.0000000002B00000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.1182457578.0000000002B00000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.1182457578.0000000002B00000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_10023880
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022853 cpuid 2_2_10022853
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1001F914
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.4ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b90000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4bc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b50000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.44e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5030000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.46b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5030000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3f10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.47c0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4950000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4610000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5060000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4cd0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a70000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fc0000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e30000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cf0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.46b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ff0000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2490000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4da0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4dd0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e00000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e90000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.46e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.44e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5050000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4570000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cc0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fc0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4920000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.48f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d70000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.48f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ff0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b50000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4790000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5020000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3f10000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4790000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.31a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5020000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4980000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4950000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a40000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.31e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4040000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4dd0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ef0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4b90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.674927662.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182814824.00000000046B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183507223.0000000004B91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673514281.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673381986.0000000004CD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182936504.0000000004790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707714646.0000000005030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673427054.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707287377.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673320480.0000000004BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183112562.0000000004921000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1184000383.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183164104.0000000004950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183211680.0000000004981000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183307427.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707424390.0000000004C41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.674824431.0000000004990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183880919.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673478838.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665896517.00000000031E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707256465.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673357301.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707551500.0000000004DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707756547.0000000005061000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182632481.0000000004041000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707068961.0000000004611000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183963259.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182978505.00000000047C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707620059.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707581803.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183573378.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707389836.0000000004C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183810438.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183445171.0000000004B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673451267.0000000004E31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.668518477.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182189542.0000000002491000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669060982.0000000000E31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.672752369.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183605393.0000000004CF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.706952271.00000000044E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182513968.0000000003F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665871488.00000000031A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1184046828.0000000005020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182867588.00000000046E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673000186.0000000004571000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1184090856.0000000005051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183271140.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673283012.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673604442.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.707509092.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.673557883.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182155404.0000000002460000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1183059025.00000000048F0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_100011C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553144 Sample: aoPHg7b78c Startdate: 14/01/2022 Architecture: WINDOWS Score: 96 36 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->36 38 85.214.67.203 STRATOSTRATOAGDE Germany 2->38 40 23 other IPs or domains 2->40 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 9->22         started        signatures6 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 24 rundll32.exe 17->24         started        26 rundll32.exe 20->26         started        28 rundll32.exe 22->28         started        process7 process8 30 rundll32.exe 24->30         started        34 rundll32.exe 2 26->34         started        dnsIp9 42 45.138.98.34, 49778, 80 M247GB Germany 30->42 44 69.16.218.101, 49779, 8080 LIQUIDWEBUS United States 30->44 56 System process connects to network (likely due to code injection or exploit) 30->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->58 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
51.210.242.234
 unknown France
16276 OVHFR true
217.182.143.207
 unknown France
16276 OVHFR true
69.16.218.101
 unknown United States
32244 LIQUIDWEBUS true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
45.138.98.34
 unknown Germany
9009 M247GB true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
windowsupdate.s.llnwi.net 178.79.242.128 true