Windows Analysis Report RQ6mxb6ssDtBoLUIE.dll

Overview

General Information

Sample Name: RQ6mxb6ssDtBoLUIE.dll
Analysis ID: 553238
MD5: 2ca3b6aaf357e2a3c771e4e4204193a5
SHA1: e4cccff37f58d1c6ce65117732cc22875e435bf0
SHA256: 221e0cc963f2a8d6614db7a7556b1879a35d2626e776091dd1b82903cbd766da
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.2.rundll32.exe.5000000.10.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: RQ6mxb6ssDtBoLUIE.dll Virustotal: Detection: 38% Perma Link
Source: RQ6mxb6ssDtBoLUIE.dll ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: RQ6mxb6ssDtBoLUIE.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49753 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49754 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49754 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000011.00000003.407646546.000002A670DA2000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000011.00000003.407646546.000002A670DA2000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000011.00000002.424997634.000002A670D00000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.424857181.000002A6706F1000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 0000000A.00000003.358571882.00000000052C0000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.360398348.00000000052BF000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.360648295.00000000052BF000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 0000000A.00000003.358571882.00000000052C0000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/:
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.405183844.000002A670D90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.405198948.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.405168594.000002A670DA7000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.405143332.000002A670DA7000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100012D0 recvfrom, 2_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 4_2_1000FF59

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.5310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4e40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d10000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ed0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4e70000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.35f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5030000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4e40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5440000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ea0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ce0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5470000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c30000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.35f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ea0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.299809540.0000000005000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291850550.00000000008A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299210410.0000000004E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.297719098.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298746738.0000000004C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298845218.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297189836.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.301069258.0000000003591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291729039.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297374152.0000000005471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298795407.0000000004C31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298902972.0000000004D11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299405702.0000000004E71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.294644360.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299584840.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297325366.0000000005440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.296807303.0000000003301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.296956252.00000000035F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297422953.00000000054A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.296758413.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.297974222.0000000001211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297236568.0000000005341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299746454.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299970010.0000000005031000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295542528.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300853002.0000000003430000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Pecygnxduanun\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10020011 2_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100181CA 2_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001929D 2_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002542D 2_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100274AE 2_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10026575 2_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001869D 2_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001178A 2_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10016860 2_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002596F 2_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022A5C 2_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018A71 2_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001AAB7 2_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001CB16 2_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018E7D 2_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10025EB1 2_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B85FF 2_2_008B85FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BEFDD 2_2_008BEFDD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008A80C0 2_2_008A80C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BD8DB 2_2_008BD8DB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008AF0E9 2_2_008AF0E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008C00EF 2_2_008C00EF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008C2009 2_2_008C2009
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B8806 2_2_008B8806
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008AB820 2_2_008AB820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BF840 2_2_008BF840
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008A7078 2_2_008A7078
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008AA871 2_2_008AA871
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B6187 2_2_008B6187
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008A2194 2_2_008A2194
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BD1BC 2_2_008BD1BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BE1F8 2_2_008BE1F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008AD14C 2_2_008AD14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B2142 2_2_008B2142
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BE955 2_2_008BE955
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B017B 2_2_008B017B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008ABAA9 2_2_008ABAA9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BA2A5 2_2_008BA2A5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B0ABA 2_2_008B0ABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BCAD5 2_2_008BCAD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B7A0F 2_2_008B7A0F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B9A01 2_2_008B9A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B4244 2_2_008B4244
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008BB257 2_2_008BB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10020011 4_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100181CA 4_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001929D 4_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002542D 4_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100274AE 4_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10026575 4_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001869D 4_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001178A 4_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10016860 4_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002596F 4_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10022A5C 4_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10018A71 4_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001AAB7 4_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001CB16 4_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10018E7D 4_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10025EB1 4_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C685FF 4_2_04C685FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6EFDD 4_2_04C6EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6CCD9 4_2_04C6CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6E4E5 4_2_04C6E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C51CA1 4_2_04C51CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5A445 4_2_04C5A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C57442 4_2_04C57442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6A474 4_2_04C6A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6DC71 4_2_04C6DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C53431 4_2_04C53431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6C5D5 4_2_04C6C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5C5D8 4_2_04C5C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C69DF5 4_2_04C69DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C555FF 4_2_04C555FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C63D85 4_2_04C63D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6654A 4_2_04C6654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C72D53 4_2_04C72D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C67D5B 4_2_04C67D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6AD08 4_2_04C6AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C65515 4_2_04C65515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C68D3D 4_2_04C68D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C73EE9 4_2_04C73EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6BEFD 4_2_04C6BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C63EAA 4_2_04C63EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C736AA 4_2_04C736AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C60EBC 4_2_04C60EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C746BD 4_2_04C746BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5C6B8 4_2_04C5C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5E640 4_2_04C5E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C62E5D 4_2_04C62E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5DE74 4_2_04C5DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C57E79 4_2_04C57E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6567B 4_2_04C6567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C58636 4_2_04C58636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5E7DE 4_2_04C5E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C667E6 4_2_04C667E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C60F86 4_2_04C60F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C577A3 4_2_04C577A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C68FAE 4_2_04C68FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C707AA 4_2_04C707AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C717BD 4_2_04C717BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5BFBE 4_2_04C5BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C557B8 4_2_04C557B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6FF58 4_2_04C6FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C64F74 4_2_04C64F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C69774 4_2_04C69774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C65779 4_2_04C65779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5EF0C 4_2_04C5EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5670B 4_2_04C5670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C51F38 4_2_04C51F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C580C0 4_2_04C580C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6D8DB 4_2_04C6D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C700EF 4_2_04C700EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5F0E9 4_2_04C5F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6F840 4_2_04C6F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5A871 4_2_04C5A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C57078 4_2_04C57078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C68806 4_2_04C68806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C72009 4_2_04C72009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5B820 4_2_04C5B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6E1F8 4_2_04C6E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C66187 4_2_04C66187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C52194 4_2_04C52194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6D1BC 4_2_04C6D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C62142 4_2_04C62142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5D14C 4_2_04C5D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6E955 4_2_04C6E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6017B 4_2_04C6017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6CAD5 4_2_04C6CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6A2A5 4_2_04C6A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5BAA9 4_2_04C5BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C60ABA 4_2_04C60ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C64244 4_2_04C64244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6B257 4_2_04C6B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C64A66 4_2_04C64A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C70A64 4_2_04C70A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C73263 4_2_04C73263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C69A01 4_2_04C69A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C67A0F 4_2_04C67A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C6FBDE 4_2_04C6FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C54BFC 4_2_04C54BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5238C 4_2_04C5238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5FB8E 4_2_04C5FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5F369 4_2_04C5F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C56B7A 4_2_04C56B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C72B09 4_2_04C72B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C65333 4_2_04C65333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01232B09 5_2_01232B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121670B 5_2_0121670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122AD08 5_2_0122AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01222142 5_2_01222142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122654A 5_2_0122654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122E955 5_2_0122E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122FF58 5_2_0122FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012317BD 5_2_012317BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012285FF 5_2_012285FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121C5D8 5_2_0121C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122EFDD 5_2_0122EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01218636 5_2_01218636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01232009 5_2_01232009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01227A0F 5_2_01227A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01224A66 5_2_01224A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121DE74 5_2_0121DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122B257 5_2_0122B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01225333 5_2_01225333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01211F38 5_2_01211F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01228D3D 5_2_01228D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121EF0C 5_2_0121EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01225515 5_2_01225515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121F369 5_2_0121F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01224F74 5_2_01224F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01229774 5_2_01229774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122437A 5_2_0122437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122017B 5_2_0122017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01225779 5_2_01225779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01216B7A 5_2_01216B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121D14C 5_2_0121D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01232D53 5_2_01232D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01227D5B 5_2_01227D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012177A3 5_2_012177A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012307AA 5_2_012307AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01228FAE 5_2_01228FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012157B8 5_2_012157B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122D1BC 5_2_0122D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121BFBE 5_2_0121BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01220F86 5_2_01220F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01226187 5_2_01226187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01223D85 5_2_01223D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121238C 5_2_0121238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121FB8E 5_2_0121FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01212194 5_2_01212194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012267E6 5_2_012267E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012207F4 5_2_012207F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01229DF5 5_2_01229DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122E1F8 5_2_0122E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012227F9 5_2_012227F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01214BFC 5_2_01214BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012155FF 5_2_012155FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122C5D5 5_2_0122C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122FBDE 5_2_0122FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121E7DE 5_2_0121E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121B820 5_2_0121B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01213431 5_2_01213431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01229A01 5_2_01229A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01228806 5_2_01228806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01233263 5_2_01233263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01230A64 5_2_01230A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121A871 5_2_0121A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122DC71 5_2_0122DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122A474 5_2_0122A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01217E79 5_2_01217E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01217078 5_2_01217078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122567B 5_2_0122567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121E640 5_2_0121E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122F840 5_2_0122F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01217442 5_2_01217442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121A445 5_2_0121A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01224244 5_2_01224244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01222E5D 5_2_01222E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01211CA1 5_2_01211CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122A2A5 5_2_0122A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01223EAA 5_2_01223EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121BAA9 5_2_0121BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012336AA 5_2_012336AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01220ABA 5_2_01220ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121C6B8 5_2_0121C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012346BD 5_2_012346BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01220EBC 5_2_01220EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122E4E5 5_2_0122E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121F0E9 5_2_0121F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01233EE9 5_2_01233EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012300EF 5_2_012300EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122BEFD 5_2_0122BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_012180C0 5_2_012180C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122CAD5 5_2_0122CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122D8DB 5_2_0122D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0122CCD9 5_2_0122CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AEFDD 8_2_035AEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A85FF 8_2_035A85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A7D5B 8_2_035A7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AFF58 8_2_035AFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B2D53 8_2_035B2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AE955 8_2_035AE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A654A 8_2_035A654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359D14C 8_2_0359D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A2142 8_2_035A2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A017B 8_2_035A017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A5779 8_2_035A5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03596B7A 8_2_03596B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A4F74 8_2_035A4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A9774 8_2_035A9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359F369 8_2_0359F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A5515 8_2_035A5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B2B09 8_2_035B2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359670B 8_2_0359670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AAD08 8_2_035AAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359EF0C 8_2_0359EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03591F38 8_2_03591F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A8D3D 8_2_035A8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A5333 8_2_035A5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359C5D8 8_2_0359C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359E7DE 8_2_0359E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AC5D5 8_2_035AC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AE1F8 8_2_035AE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03594BFC 8_2_03594BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035955FF 8_2_035955FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A9DF5 8_2_035A9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A67E6 8_2_035A67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03592194 8_2_03592194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359238C 8_2_0359238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359FB8E 8_2_0359FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A0F86 8_2_035A0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A6187 8_2_035A6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A3D85 8_2_035A3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035957B8 8_2_035957B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AD1BC 8_2_035AD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B17BD 8_2_035B17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359BFBE 8_2_0359BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B07AA 8_2_035B07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A8FAE 8_2_035A8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035977A3 8_2_035977A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A2E5D 8_2_035A2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359E640 8_2_0359E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AF840 8_2_035AF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03597442 8_2_03597442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359A445 8_2_0359A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A4244 8_2_035A4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03597E79 8_2_03597E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03597078 8_2_03597078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A567B 8_2_035A567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359A871 8_2_0359A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035ADC71 8_2_035ADC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359DE74 8_2_0359DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AA474 8_2_035AA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B3263 8_2_035B3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A4A66 8_2_035A4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B0A64 8_2_035B0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B2009 8_2_035B2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A7A0F 8_2_035A7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A9A01 8_2_035A9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A8806 8_2_035A8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03593431 8_2_03593431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03598636 8_2_03598636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359B820 8_2_0359B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AD8DB 8_2_035AD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035ACCD9 8_2_035ACCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035ACAD5 8_2_035ACAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035980C0 8_2_035980C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035ABEFD 8_2_035ABEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359F0E9 8_2_0359F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B3EE9 8_2_035B3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B00EF 8_2_035B00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AE4E5 8_2_035AE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A0ABA 8_2_035A0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359C6B8 8_2_0359C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B46BD 8_2_035B46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A0EBC 8_2_035A0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A3EAA 8_2_035A3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359BAA9 8_2_0359BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035B36AA 8_2_035B36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03591CA1 8_2_03591CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035AA2A5 8_2_035AA2A5
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001984C appears 48 times
Sample file is different than original file name gathered from version info
Source: RQ6mxb6ssDtBoLUIE.dll Binary or memory string: OriginalFilenameUDPTool.EXE: vs RQ6mxb6ssDtBoLUIE.dll
PE file contains strange resources
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: RQ6mxb6ssDtBoLUIE.dll Virustotal: Detection: 38%
Source: RQ6mxb6ssDtBoLUIE.dll ReversingLabs: Detection: 44%
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge",rVofdtApIoqtOl
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pecygnxduanun\bzajsqcyvrfnuga.wge",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge",rVofdtApIoqtOl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pecygnxduanun\bzajsqcyvrfnuga.wge",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@21/2@0/28
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource, 2_2_100126F9
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10019891 push ecx; ret 2_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10017C60 push ecx; ret 2_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008B08E0 push esp; iretd 2_2_008B08E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_008A1195 push cs; iretd 2_2_008A1197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10019891 push ecx; ret 4_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10017C60 push ecx; ret 4_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C608E0 push esp; iretd 4_2_04C608E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C51195 push cs; iretd 4_2_04C51197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01211195 push cs; iretd 5_2_01211197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_03591195 push cs; iretd 8_2_03591197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_035A08E0 push esp; iretd 8_2_035A08E3
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
PE file contains an invalid checksum
Source: RQ6mxb6ssDtBoLUIE.dll Static PE information: real checksum: 0x66354 should be: 0x73ff3
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Tuzue\rprlsawpt.hac:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 4_2_10008B90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 7136 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.9 %
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000011.00000002.424857181.000002A6706F1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.424753869.000002A6706A8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C5F7F7 mov eax, dword ptr fs:[00000030h] 4_2_04C5F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0121F7F7 mov eax, dword ptr fs:[00000030h] 5_2_0121F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0359F7F7 mov eax, dword ptr fs:[00000030h] 8_2_0359F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 2_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 2_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 4_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 4_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1 Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 4_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 4_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_10023880
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022853 cpuid 2_2_10022853
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1001F914
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.5310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4e40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4d10000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ed0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4e70000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.35f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5030000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4e40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5440000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ea0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ce0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5470000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c30000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4c00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.35f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ea0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.299809540.0000000005000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291850550.00000000008A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299210410.0000000004E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.297719098.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298746738.0000000004C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298845218.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297189836.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.301069258.0000000003591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.291729039.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297374152.0000000005471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298795407.0000000004C31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.298902972.0000000004D11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299405702.0000000004E71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.294644360.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299584840.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297325366.0000000005440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.296807303.0000000003301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.296956252.00000000035F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297422953.00000000054A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.296758413.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.297974222.0000000001211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.297236568.0000000005341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299746454.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.299970010.0000000005031000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295542528.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300853002.0000000003430000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 4_2_100011C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553238 Sample: RQ6mxb6ssDtBoLUIE.dll Startdate: 14/01/2022 Architecture: WINDOWS Score: 96 36 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->36 38 85.214.67.203 STRATOSTRATOAGDE Germany 2->38 40 23 other IPs or domains 2->40 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 9->22         started        signatures6 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->48 24 rundll32.exe 17->24         started        26 rundll32.exe 20->26         started        28 rundll32.exe 22->28         started        process7 process8 30 rundll32.exe 24->30         started        34 rundll32.exe 2 26->34         started        dnsIp9 42 45.138.98.34, 49753, 80 M247GB Germany 30->42 44 69.16.218.101, 49754, 8080 LIQUIDWEBUS United States 30->44 46 192.168.2.1 unknown unknown 30->46 58 System process connects to network (likely due to code injection or exploit) 30->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->60 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
51.210.242.234
 unknown France
16276 OVHFR true
217.182.143.207
 unknown France
16276 OVHFR true
69.16.218.101
 unknown United States
32244 LIQUIDWEBUS true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
45.138.98.34
 unknown Germany
9009 M247GB true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Private
IP
192.168.2.1