Windows Analysis Report nV5Wu77N8J

Overview

General Information

Sample Name: nV5Wu77N8J (renamed file extension from none to dll)
Analysis ID: 553353
MD5: a0306b7a6a12022e4fc8e586b0bc90ec
SHA1: ee7d221826a725a2110bbddbea34bd14522b5ab4
SHA256: 9b1ca060b5a969f03c4c8d99ad487a454742e47fff97343a90afacb5da7d9589
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.0.loaddll32.exe.de0000.3.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: nV5Wu77N8J.dll Virustotal: Detection: 16% Perma Link
Source: nV5Wu77N8J.dll ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: nV5Wu77N8J.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726747041.0000000002F12000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726920017.0000000002F12000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726719293.00000000049D6000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.727134531.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726928256.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726753757.0000000002F18000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.727134531.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726928256.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726753757.0000000002F18000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726739926.0000000002F0C000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.727328906.0000000002F0C000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.726747041.0000000002F12000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726920017.0000000002F12000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.741443173.0000000000A72000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.726739926.0000000002F0C000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.727328906.0000000002F0C000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49770 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49771 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000014.00000003.805231702.0000020B3A794000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000003.805231702.0000020B3A794000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000014.00000003.805310657.0000020B3A7A5000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.805231702.0000020B3A794000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000014.00000003.805310657.0000020B3A7A5000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.805231702.0000020B3A794000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000014.00000003.805231702.0000020B3A794000.00000004.00000001.sdmp String found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve
Source: svchost.exe, 00000014.00000003.805231702.0000020B3A794000.00000004.00000001.sdmp String found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve
Source: svchost.exe, 00000014.00000002.822439687.0000020B3A700000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.799118884.0000020B3A70D000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000014.00000002.822309970.0000020B39EE9000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000014.00000003.798251058.0000020B3A790000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.798329573.0000020B3A76E000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.16.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000014.00000003.798251058.0000020B3A790000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.798329573.0000020B3A76E000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000014.00000003.798251058.0000020B3A790000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.798329573.0000020B3A76E000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000014.00000003.798251058.0000020B3A790000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.798329573.0000020B3A76E000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000014.00000003.800900762.0000020B3AC02000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.800918679.0000020B3A790000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.800834222.0000020B3AC19000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.800807896.0000020B3AC19000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.800791461.0000020B3A7A1000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.800774631.0000020B3A790000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001280 recvfrom, 2_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_10027958

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 14.2.rundll32.exe.55b0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5030000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5510000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.52a0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.56f0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.59a0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.49a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.52d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5570000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.e10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5270000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5570000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.49d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5540000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.59d0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.34d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5a20000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5a20000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.52d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5300000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.55e0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5110000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.55b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.57a0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5a50000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5030000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.57a0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.56c0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5210000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5140000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5510000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5060000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5110000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5270000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.e10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.49a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.34d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.59a0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5160000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.56c0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5240000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5210000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.718929777.0000000003501000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188125968.00000000049D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190726376.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.718904101.00000000034D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719243124.0000000005161000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719379711.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719211601.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190213897.00000000057D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719345888.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719826672.00000000053B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719773637.00000000052F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188426833.0000000005110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188330842.0000000005030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719527275.0000000004CB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719316941.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719898030.0000000005510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.723238837.0000000004750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188469714.0000000005141000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670020972.0000000004740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1186610997.0000000002E00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188598739.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719919636.0000000005541000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188659452.0000000005301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.720219818.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669938310.0000000002541000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.720240608.0000000000E11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719503580.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188052400.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719747240.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190813785.0000000005A20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719938381.0000000005570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190127401.00000000057A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719857103.00000000053E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.722455601.0000000000E11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719284878.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188878871.00000000055E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1186687872.0000000002E31000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188363449.0000000005061000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190848028.0000000005A51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188631120.00000000052D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.722263663.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188973289.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188839400.00000000055B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.723309788.0000000004781000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670044528.0000000004771000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188934735.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.742599060.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188553677.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669913455.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190787571.00000000059D1000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: nV5Wu77N8J.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7128 -ip 7128
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Bdaefwhkzqb\lrinxnmhyts.ogu:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Bdaefwhkzqb\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100291F6 2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F378 2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100403D7 2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004250B 2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041557 2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100395A1 2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F784 2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004091B 2_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002EACF 2_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002FBA4 2_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100291F6 3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F378 3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100403D7 3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004250B 3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041557 3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100395A1 3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F784 3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004091B 3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EACF 3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002FBA4 3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035D96 3_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040E5F 3_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EFA4 3_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBA445 4_2_04CBA445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCB257 4_2_04CCB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC4A66 4_2_04CC4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBDE74 4_2_04CBDE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC7A0F 4_2_04CC7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD2009 4_2_04CD2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB8636 4_2_04CB8636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCEFDD 4_2_04CCEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBC5D8 4_2_04CBC5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC85FF 4_2_04CC85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD17BD 4_2_04CD17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC654A 4_2_04CC654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC2142 4_2_04CC2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCFF58 4_2_04CCFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCE955 4_2_04CCE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB670B 4_2_04CB670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD2B09 4_2_04CD2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCAD08 4_2_04CCAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB80C0 4_2_04CB80C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCCCD9 4_2_04CCCCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCD8DB 4_2_04CCD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCCAD5 4_2_04CCCAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBF0E9 4_2_04CBF0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD00EF 4_2_04CD00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD3EE9 4_2_04CD3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCE4E5 4_2_04CCE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCBEFD 4_2_04CCBEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBBAA9 4_2_04CBBAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC3EAA 4_2_04CC3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD36AA 4_2_04CD36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCA2A5 4_2_04CCA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB1CA1 4_2_04CB1CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD46BD 4_2_04CD46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC0EBC 4_2_04CC0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBC6B8 4_2_04CBC6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC0ABA 4_2_04CC0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC4244 4_2_04CC4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB7442 4_2_04CB7442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBE640 4_2_04CBE640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCF840 4_2_04CCF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC2E5D 4_2_04CC2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD0A64 4_2_04CD0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD3263 4_2_04CD3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB7E79 4_2_04CB7E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB7078 4_2_04CB7078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC567B 4_2_04CC567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCA474 4_2_04CCA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBA871 4_2_04CBA871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCDC71 4_2_04CCDC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC8806 4_2_04CC8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC9A01 4_2_04CC9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBB820 4_2_04CBB820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB3431 4_2_04CB3431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCFBDE 4_2_04CCFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBE7DE 4_2_04CBE7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCC5D5 4_2_04CCC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC67E6 4_2_04CC67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCE1F8 4_2_04CCE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB55FF 4_2_04CB55FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC27F9 4_2_04CC27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB4BFC 4_2_04CB4BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC07F4 4_2_04CC07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC9DF5 4_2_04CC9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBFB8E 4_2_04CBFB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB238C 4_2_04CB238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC3D85 4_2_04CC3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC0F86 4_2_04CC0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC6187 4_2_04CC6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB2194 4_2_04CB2194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC8FAE 4_2_04CC8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD07AA 4_2_04CD07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB77A3 4_2_04CB77A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CCD1BC 4_2_04CCD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB57B8 4_2_04CB57B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBBFBE 4_2_04CBBFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBD14C 4_2_04CBD14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC7D5B 4_2_04CC7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CD2D53 4_2_04CD2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBF369 4_2_04CBF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB6B7A 4_2_04CB6B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC5779 4_2_04CC5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC437A 4_2_04CC437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC017B 4_2_04CC017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC4F74 4_2_04CC4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC9774 4_2_04CC9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBEF0C 4_2_04CBEF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC5515 4_2_04CC5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC8D3D 4_2_04CC8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB1F38 4_2_04CB1F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CC5333 4_2_04CC5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351FF58 6_2_0351FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03512142 6_2_03512142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351654A 6_2_0351654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351AD08 6_2_0351AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350670B 6_2_0350670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350C5D8 6_2_0350C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351EFDD 6_2_0351EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350A445 6_2_0350A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350DE74 6_2_0350DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03514A66 6_2_03514A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03522009 6_2_03522009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03517A0F 6_2_03517A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03508636 6_2_03508636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03522D53 6_2_03522D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351E955 6_2_0351E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03517D5B 6_2_03517D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350D14C 6_2_0350D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03514F74 6_2_03514F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03519774 6_2_03519774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03515779 6_2_03515779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03506B7A 6_2_03506B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351017B 6_2_0351017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351437A 6_2_0351437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350F369 6_2_0350F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03515515 6_2_03515515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03522B09 6_2_03522B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350EF0C 6_2_0350EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03515333 6_2_03515333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03501F38 6_2_03501F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03518D3D 6_2_03518D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351C5D5 6_2_0351C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350E7DE 6_2_0350E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351FBDE 6_2_0351FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03519DF5 6_2_03519DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035107F4 6_2_035107F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035127F9 6_2_035127F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351E1F8 6_2_0351E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03504BFC 6_2_03504BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035185FF 6_2_035185FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035055FF 6_2_035055FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035167E6 6_2_035167E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03502194 6_2_03502194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03513D85 6_2_03513D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03516187 6_2_03516187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03510F86 6_2_03510F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350238C 6_2_0350238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350FB8E 6_2_0350FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035057B8 6_2_035057B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351D1BC 6_2_0351D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350BFBE 6_2_0350BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035217BD 6_2_035217BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035077A3 6_2_035077A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035207AA 6_2_035207AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03518FAE 6_2_03518FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351B257 6_2_0351B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03512E5D 6_2_03512E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350E640 6_2_0350E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351F840 6_2_0351F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03507442 6_2_03507442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03514244 6_2_03514244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351DC71 6_2_0351DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350A871 6_2_0350A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351A474 6_2_0351A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03507078 6_2_03507078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03507E79 6_2_03507E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351567B 6_2_0351567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03523263 6_2_03523263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03520A64 6_2_03520A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03519A01 6_2_03519A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03518806 6_2_03518806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03503431 6_2_03503431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350B820 6_2_0350B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351CAD5 6_2_0351CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351CCD9 6_2_0351CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351D8DB 6_2_0351D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035080C0 6_2_035080C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351BEFD 6_2_0351BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351E4E5 6_2_0351E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350F0E9 6_2_0350F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03523EE9 6_2_03523EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035200EF 6_2_035200EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350C6B8 6_2_0350C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03510ABA 6_2_03510ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03510EBC 6_2_03510EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035246BD 6_2_035246BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03501CA1 6_2_03501CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0351A2A5 6_2_0351A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_035236AA 6_2_035236AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350BAA9 6_2_0350BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03513EAA 6_2_03513EAA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030E38 appears 48 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030535 appears 69 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030535 appears 87 times
PE file contains strange resources
Source: nV5Wu77N8J.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: nV5Wu77N8J.dll Virustotal: Detection: 16%
Source: nV5Wu77N8J.dll ReversingLabs: Detection: 13%
Source: nV5Wu77N8J.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bdaefwhkzqb\lrinxnmhyts.ogu",XLurkV
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7128 -ip 7128
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bdaefwhkzqb\lrinxnmhyts.ogu",DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 568
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bdaefwhkzqb\lrinxnmhyts.ogu",XLurkV Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bdaefwhkzqb\lrinxnmhyts.ogu",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7128 -ip 7128 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 568 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER37B8.tmp Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@27/10@0/27
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6712:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021183 LoadResource,LockResource,SizeofResource, 2_2_10021183
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726747041.0000000002F12000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726920017.0000000002F12000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726719293.00000000049D6000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.727134531.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726928256.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726753757.0000000002F18000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.727134531.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726928256.0000000002F18000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726753757.0000000002F18000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726739926.0000000002F0C000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.727328906.0000000002F0C000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.726747041.0000000002F12000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.726920017.0000000002F12000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.741443173.0000000000A72000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.730451291.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.726739926.0000000002F0C000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.727328906.0000000002F0C000.00000004.00000001.sdmp
Source: nV5Wu77N8J.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nV5Wu77N8J.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nV5Wu77N8J.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nV5Wu77N8J.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nV5Wu77N8J.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003060D push ecx; ret 2_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003060D push ecx; ret 3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030E7D push ecx; ret 3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CB1195 push cs; iretd 4_2_04CB1197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_03501195 push cs; iretd 6_2_03501197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
PE file contains an invalid checksum
Source: nV5Wu77N8J.dll Static PE information: real checksum: 0x970bf should be: 0x91c5b
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Bdaefwhkzqb\lrinxnmhyts.ogu Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bdaefwhkzqb\lrinxnmhyts.ogu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Rejasxmfwpqnhtgn\jdiy.puy:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_1001DFC0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6048 Thread sleep time: -150000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.8 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.16.dr Binary or memory string: VMware
Source: Amcache.hve.16.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.16.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.16.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.16.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.16.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.16.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr Binary or memory string: VMware7,1
Source: Amcache.hve.16.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000014.00000002.822285678.0000020B39ED1000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.822309970.0000020B39EE9000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.822205344.0000020B39E82000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.16.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.16.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.16.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 2_2_10002D40
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04CBF7F7 mov eax, dword ptr fs:[00000030h] 4_2_04CBF7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0350F7F7 mov eax, dword ptr fs:[00000030h] 6_2_0350F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10032CB9

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7128 -ip 7128 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 568 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.720426982.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.722595476.0000000001260000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1187914001.00000000033E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.720426982.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.722595476.0000000001260000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1187914001.00000000033E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.720426982.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.722595476.0000000001260000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1187914001.00000000033E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.720426982.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.722595476.0000000001260000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1187914001.00000000033E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 2_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 3_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 3_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1003732F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024F01 _memset,GetVersionExA, 3_2_10024F01

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.16.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 14.2.rundll32.exe.55b0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5030000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5510000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.52a0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.56f0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.59a0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.49a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.52d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5570000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.e10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5270000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5570000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.49d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5540000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.59d0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.34d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5a20000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5a20000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.52d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5300000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.55e0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5110000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.55b0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.57a0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5a50000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5030000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.57a0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.56c0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5210000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5140000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5510000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5060000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5110000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.5270000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.e10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.49a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.34d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.59a0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5160000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.56c0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5240000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5210000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.2e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.718929777.0000000003501000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188125968.00000000049D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190726376.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.718904101.00000000034D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719243124.0000000005161000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719379711.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719211601.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190213897.00000000057D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719345888.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719826672.00000000053B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719773637.00000000052F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188426833.0000000005110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188330842.0000000005030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719527275.0000000004CB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719316941.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719898030.0000000005510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.723238837.0000000004750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188469714.0000000005141000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670020972.0000000004740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1186610997.0000000002E00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188598739.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719919636.0000000005541000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188659452.0000000005301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.720219818.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669938310.0000000002541000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.720240608.0000000000E11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719503580.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188052400.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719747240.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190813785.0000000005A20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719938381.0000000005570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190127401.00000000057A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719857103.00000000053E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.722455601.0000000000E11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.719284878.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188878871.00000000055E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1186687872.0000000002E31000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188363449.0000000005061000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190848028.0000000005A51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188631120.00000000052D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.722263663.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188973289.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188839400.00000000055B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.723309788.0000000004781000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670044528.0000000004771000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188934735.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.742599060.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1188553677.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669913455.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1190787571.00000000059D1000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_10001160
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553353 Sample: nV5Wu77N8J Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 40 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->40 42 85.214.67.203 STRATOSTRATOAGDE Germany 2->42 44 23 other IPs or domains 2->44 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 9 loaddll32.exe 1 2->9         started        11 svchost.exe 4 2->11         started        13 svchost.exe 1 2->13         started        15 3 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 9->22         started        24 WerFault.exe 3 9 9->24         started        26 WerFault.exe 11->26         started        signatures6 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->50 28 rundll32.exe 17->28         started        30 rundll32.exe 20->30         started        32 rundll32.exe 22->32         started        process7 process8 34 rundll32.exe 28->34         started        38 rundll32.exe 2 30->38         started        dnsIp9 46 45.138.98.34, 49770, 80 M247GB Germany 34->46 48 69.16.218.101, 49771, 8080 LIQUIDWEBUS United States 34->48 60 System process connects to network (likely due to code injection or exploit) 34->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->62 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
51.210.242.234
 unknown France
16276 OVHFR true
217.182.143.207
 unknown France
16276 OVHFR true
69.16.218.101
 unknown United States
32244 LIQUIDWEBUS true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
45.138.98.34
 unknown Germany
9009 M247GB true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true