Windows Analysis Report hPJnda9rBy.dll

Overview

General Information

Sample Name: hPJnda9rBy.dll
Analysis ID: 553354
MD5: 56c2941eb73ea59306cc9d2a6b15974c
SHA1: 8d483f2069955ae7a3f7e70e6dafa2641cbf4a75
SHA256: 7caa923401ec9a16969f0b37225b77cd16c6923abff2eda76f1fa9a35bff2879
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.4b20000.6.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: hPJnda9rBy.dll Virustotal: Detection: 18% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: hPJnda9rBy.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb(a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.700670403.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.702229591.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684427719.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.700685466.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689014142.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684358827.0000000000E03000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684475829.0000000000E09000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbxa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbTa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbfa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb"a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb~a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: combase.pdbla source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: aEnjrHnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.701961614.0000000000182000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49775 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49776 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.795852774.000001691B3A3000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.795852774.000001691B3A3000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.798134936.000001691B390000.00000004.00000001.sdmp String found in binary or memory: -free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN",8 equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.798134936.000001691B390000.00000004.00000001.sdmp String found in binary or memory: -free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN",8 equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.796149419.000001691B339000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796058147.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795994776.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796118878.000001691B33A000.00000004.00000001.sdmp String found in binary or memory: hed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"sys
Source: svchost.exe, 00000013.00000003.796149419.000001691B339000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796058147.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795994776.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796118878.000001691B33A000.00000004.00000001.sdmp String found in binary or memory: hed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"sys
Source: svchost.exe, 00000013.00000002.815236727.000001691AAF1000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000013.00000003.791410747.000001691B390000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001280 recvfrom, 2_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.703211400.000000000089B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_10027958

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.4430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5610000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.50f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.860000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.37e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4940000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5120000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.42e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.50f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2f10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.42e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b80000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fb0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4910000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5640000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5610000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4910000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fb0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.669073242.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685263921.0000000005281000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684322708.00000000031C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684701271.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.688210118.00000000037E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719107308.0000000004941000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.669823060.0000000004480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.677964446.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685292012.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.676011964.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685429920.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719259656.0000000004B51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685397124.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.669847564.00000000044B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685144979.0000000005121000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685224843.0000000005250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685049749.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719178137.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.687920491.0000000003520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719295807.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685326019.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684986586.0000000004FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.678063941.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669249846.0000000002F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.702950192.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685112085.00000000050F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719142845.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719325918.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719229913.0000000004B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.718771472.00000000042E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719080684.0000000004910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.676117547.0000000000861000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: hPJnda9rBy.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Nqsihdpwvadvq\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087EFDD 0_2_0087EFDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087A2A5 0_2_0087A2A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008836AA 0_2_008836AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00861CA1 0_2_00861CA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00873EAA 0_2_00873EAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086BAA9 0_2_0086BAA9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008846BD 0_2_008846BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00870EBC 0_2_00870EBC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00870ABA 0_2_00870ABA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086C6B8 0_2_0086C6B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008680C0 0_2_008680C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087CAD5 0_2_0087CAD5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087D8DB 0_2_0087D8DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087CCD9 0_2_0087CCD9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00883EE9 0_2_00883EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087E4E5 0_2_0087E4E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008800EF 0_2_008800EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086F0E9 0_2_0086F0E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087BEFD 0_2_0087BEFD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00882009 0_2_00882009
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00878806 0_2_00878806
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00879A01 0_2_00879A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00877A0F 0_2_00877A0F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086B820 0_2_0086B820
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00868636 0_2_00868636
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00863431 0_2_00863431
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086A445 0_2_0086A445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00874244 0_2_00874244
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00867442 0_2_00867442
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086E640 0_2_0086E640
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087F840 0_2_0087F840
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087B257 0_2_0087B257
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00872E5D 0_2_00872E5D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00874A66 0_2_00874A66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00883263 0_2_00883263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00880A64 0_2_00880A64
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086DE74 0_2_0086DE74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087A474 0_2_0087A474
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087DC71 0_2_0087DC71
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086A871 0_2_0086A871
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087567B 0_2_0087567B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00867078 0_2_00867078
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00867E79 0_2_00867E79
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00876187 0_2_00876187
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00870F86 0_2_00870F86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00873D85 0_2_00873D85
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086FB8E 0_2_0086FB8E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086238C 0_2_0086238C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00862194 0_2_00862194
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008807AA 0_2_008807AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008677A3 0_2_008677A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00878FAE 0_2_00878FAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008817BD 0_2_008817BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086BFBE 0_2_0086BFBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087D1BC 0_2_0087D1BC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008657B8 0_2_008657B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087C5D5 0_2_0087C5D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086E7DE 0_2_0086E7DE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087FBDE 0_2_0087FBDE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086C5D8 0_2_0086C5D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008767E6 0_2_008767E6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00879DF5 0_2_00879DF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008707F4 0_2_008707F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008785FF 0_2_008785FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008655FF 0_2_008655FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00864BFC 0_2_00864BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008727F9 0_2_008727F9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087E1F8 0_2_0087E1F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00882B09 0_2_00882B09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086EF0C 0_2_0086EF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086670B 0_2_0086670B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087AD08 0_2_0087AD08
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00875515 0_2_00875515
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00875333 0_2_00875333
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00878D3D 0_2_00878D3D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00861F38 0_2_00861F38
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00872142 0_2_00872142
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086D14C 0_2_0086D14C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087654A 0_2_0087654A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087E955 0_2_0087E955
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00882D53 0_2_00882D53
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00877D5B 0_2_00877D5B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087FF58 0_2_0087FF58
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086F369 0_2_0086F369
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00874F74 0_2_00874F74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00879774 0_2_00879774
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00866B7A 0_2_00866B7A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087017B 0_2_0087017B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0087437A 0_2_0087437A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00875779 0_2_00875779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100291F6 2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F378 2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100403D7 2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004250B 2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041557 2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100395A1 2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F784 2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004091B 2_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002EACF 2_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002FBA4 2_2_1002FBA4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10035D96 2_2_10035D96
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10040E5F 2_2_10040E5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002EFA4 2_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100291F6 3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F378 3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100403D7 3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004250B 3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041557 3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100395A1 3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F784 3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004091B 3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EACF 3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002FBA4 3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04444A66 4_2_04444A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443DE74 4_2_0443DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04447A0F 4_2_04447A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04452009 4_2_04452009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04438636 4_2_04438636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04442142 4_2_04442142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444654A 4_2_0444654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444FF58 4_2_0444FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443670B 4_2_0443670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444AD08 4_2_0444AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444EFDD 4_2_0444EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443C5D8 4_2_0443C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04444244 4_2_04444244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04437442 4_2_04437442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443E640 4_2_0443E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444F840 4_2_0444F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443A445 4_2_0443A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444B257 4_2_0444B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04442E5D 4_2_04442E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04450A64 4_2_04450A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04453263 4_2_04453263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444A474 4_2_0444A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443A871 4_2_0443A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444DC71 4_2_0444DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04437E79 4_2_04437E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04437078 4_2_04437078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444567B 4_2_0444567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04448806 4_2_04448806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04449A01 4_2_04449A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443B820 4_2_0443B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04433431 4_2_04433431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044380C0 4_2_044380C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444CAD5 4_2_0444CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444CCD9 4_2_0444CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444D8DB 4_2_0444D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444E4E5 4_2_0444E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443F0E9 4_2_0443F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044500EF 4_2_044500EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04453EE9 4_2_04453EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444BEFD 4_2_0444BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444A2A5 4_2_0444A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04431CA1 4_2_04431CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443BAA9 4_2_0443BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04443EAA 4_2_04443EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044536AA 4_2_044536AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044546BD 4_2_044546BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04440EBC 4_2_04440EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443C6B8 4_2_0443C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04440ABA 4_2_04440ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443D14C 4_2_0443D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444E955 4_2_0444E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04452D53 4_2_04452D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04447D5B 4_2_04447D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443F369 4_2_0443F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04444F74 4_2_04444F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04449774 4_2_04449774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04436B7A 4_2_04436B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04445779 4_2_04445779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444437A 4_2_0444437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444017B 4_2_0444017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04452B09 4_2_04452B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443EF0C 4_2_0443EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04445515 4_2_04445515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04445333 4_2_04445333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04448D3D 4_2_04448D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04431F38 4_2_04431F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444C5D5 4_2_0444C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444FBDE 4_2_0444FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443E7DE 4_2_0443E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044467E6 4_2_044467E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044407F4 4_2_044407F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04449DF5 4_2_04449DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044485FF 4_2_044485FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444E1F8 4_2_0444E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044355FF 4_2_044355FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044427F9 4_2_044427F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04434BFC 4_2_04434BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04443D85 4_2_04443D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04440F86 4_2_04440F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04446187 4_2_04446187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443FB8E 4_2_0443FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443238C 4_2_0443238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04432194 4_2_04432194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044377A3 4_2_044377A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04448FAE 4_2_04448FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044507AA 4_2_044507AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0444D1BC 4_2_0444D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044517BD 4_2_044517BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044357B8 4_2_044357B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443BFBE 4_2_0443BFBE
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030535 appears 87 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030E38 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030535 appears 72 times
PE file contains strange resources
Source: hPJnda9rBy.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: hPJnda9rBy.dll Virustotal: Detection: 18%
Source: hPJnda9rBy.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb",kzlZNp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Knpnqswfpazuozi\koewoajrwakr.ckb",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb",kzlZNp Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Knpnqswfpazuozi\koewoajrwakr.ckb",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF831.tmp Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@26/10@0/27
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:4180:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021183 LoadResource,LockResource,SizeofResource, 2_2_10021183
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb(a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.700670403.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.702229591.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684427719.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.700685466.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689014142.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684358827.0000000000E03000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684475829.0000000000E09000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbxa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbTa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbfa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb"a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb~a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: combase.pdbla source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source: Binary string: aEnjrHnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.701961614.0000000000182000.00000004.00000001.sdmp
Source: hPJnda9rBy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hPJnda9rBy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hPJnda9rBy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hPJnda9rBy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hPJnda9rBy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00861195 push cs; iretd 0_2_00861197
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003060D push ecx; ret 2_2_10030620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030E7D push ecx; ret 2_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003060D push ecx; ret 3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04431195 push cs; iretd 4_2_04431197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
PE file contains an invalid checksum
Source: hPJnda9rBy.dll Static PE information: real checksum: 0x970bf should be: 0x924d6
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Nqsihdpwvadvq\acqvopgo.gfg:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_100250A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_100250A3
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5256 Thread sleep time: -30000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.8 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.3 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000013.00000002.814970608.000001691AA81000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.814320214.000001691AA81000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW `
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000013.00000002.815169961.000001691AADB000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.815236727.000001691AAF1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 2_2_10002D40
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0086F7F7 mov eax, dword ptr fs:[00000030h] 0_2_0086F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0443F7F7 mov eax, dword ptr fs:[00000030h] 4_2_0443F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_008836AA LdrInitializeThunk, 0_2_008836AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1002DB0D

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 2_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 2_2_1003DD07
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 2_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1003732F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10024F01 _memset,GetVersionExA, 2_2_10024F01

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.4430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5610000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.50f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.860000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.37e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4940000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5120000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.42e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.50f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.2f10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.42e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b80000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fb0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4910000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5640000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5610000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4910000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fb0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.669073242.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685263921.0000000005281000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684322708.00000000031C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684701271.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.688210118.00000000037E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719107308.0000000004941000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.669823060.0000000004480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.677964446.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685292012.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.676011964.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685429920.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719259656.0000000004B51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685397124.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.669847564.00000000044B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685144979.0000000005121000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685224843.0000000005250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685049749.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719178137.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.687920491.0000000003520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719295807.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685326019.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684986586.0000000004FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.678063941.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.669249846.0000000002F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.702950192.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.685112085.00000000050F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719142845.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719325918.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719229913.0000000004B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.718771472.00000000042E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.719080684.0000000004910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.676117547.0000000000861000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_10001160
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553354 Sample: hPJnda9rBy.dll Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 43 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->43 45 85.214.67.203 STRATOSTRATOAGDE Germany 2->45 47 23 other IPs or domains 2->47 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 3 other signatures 2->61 11 loaddll32.exe 1 2->11         started        13 svchost.exe 4 2->13         started        15 svchost.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 process5 19 cmd.exe 1 11->19         started        21 rundll32.exe 2 11->21         started        24 regsvr32.exe 11->24         started        26 WerFault.exe 3 9 11->26         started        28 WerFault.exe 13->28         started        signatures6 30 rundll32.exe 19->30         started        63 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->63 32 rundll32.exe 24->32         started        process7 process8 34 rundll32.exe 2 30->34         started        signatures9 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->53 37 rundll32.exe 34->37         started        process10 process11 39 rundll32.exe 37->39         started        dnsIp12 49 45.138.98.34, 49770, 80 M247GB Germany 39->49 51 69.16.218.101, 49771, 8080 LIQUIDWEBUS United States 39->51 65 System process connects to network (likely due to code injection or exploit) 39->65 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
51.210.242.234
 unknown France
16276 OVHFR true
217.182.143.207
 unknown France
16276 OVHFR true
69.16.218.101
 unknown United States
32244 LIQUIDWEBUS true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
45.138.98.34
 unknown Germany
9009 M247GB true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true