Windows Analysis Report nIQCsrVbbw

Overview

General Information

Sample Name: nIQCsrVbbw (renamed file extension from none to dll)
Analysis ID: 553359
MD5: 06b75d254c6844f78c7d7eefa5b1243e
SHA1: af4b4dccf317dbeeab97868a9514a7c9e496c8d3
SHA256: b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.loaddll32.exe.d00000.0.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: nIQCsrVbbw.dll Virustotal: Detection: 15% Perma Link
Source: nIQCsrVbbw.dll ReversingLabs: Detection: 16%

Compliance:

barindex
Uses 32bit PE files
Source: nIQCsrVbbw.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383845627.00000000035D4000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383476749.0000000005098000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.394941169.0000000000EF2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383589686.00000000035DA000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb= source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000002.488230673.000001D8FAB00000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000E.00000003.438068118.00000000006E2000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.436839850.0000000004F9C000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f94ba70d714c2
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.17.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.465928142.000001D8FAB90000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001280 recvfrom, 2_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000000.379244317.00000000006FB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 12_2_10027958

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 5.2.rundll32.exe.4860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5380000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.51c0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1270000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5320000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.11d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.12a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5090000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1270000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1140000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5060000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1170000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5350000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5350000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1390000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5190000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1390000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4860000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.11d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5060000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5190000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56c0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56f0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: nIQCsrVbbw.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Uibizbzyxusffon\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100291F6 2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F378 2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100403D7 2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004250B 2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041557 2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100395A1 2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F784 2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004091B 2_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002EACF 2_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002FBA4 2_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100291F6 3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F378 3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100403D7 3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004250B 3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041557 3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100395A1 3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F784 3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004091B 3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EACF 3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002FBA4 3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035D96 3_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040E5F 3_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EFA4 3_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC8636 5_2_00BC8636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD7A0F 5_2_00BD7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE2009 5_2_00BE2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCDE74 5_2_00BCDE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD4A66 5_2_00BD4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDB257 5_2_00BDB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCA445 5_2_00BCA445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE17BD 5_2_00BE17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD85FF 5_2_00BD85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDEFDD 5_2_00BDEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCC5D8 5_2_00BCC5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDAD08 5_2_00BDAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC670B 5_2_00BC670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDFF58 5_2_00BDFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDE955 5_2_00BDE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD654A 5_2_00BD654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD2142 5_2_00BD2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD0EBC 5_2_00BD0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE46BD 5_2_00BE46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCC6B8 5_2_00BCC6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD0ABA 5_2_00BD0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE36AA 5_2_00BE36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCBAA9 5_2_00BCBAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD3EAA 5_2_00BD3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDA2A5 5_2_00BDA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC1CA1 5_2_00BC1CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDBEFD 5_2_00BDBEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE00EF 5_2_00BE00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCF0E9 5_2_00BCF0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE3EE9 5_2_00BE3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDE4E5 5_2_00BDE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDCCD9 5_2_00BDCCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDD8DB 5_2_00BDD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDCAD5 5_2_00BDCAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC80C0 5_2_00BC80C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC3431 5_2_00BC3431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCB820 5_2_00BCB820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD8806 5_2_00BD8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD9A01 5_2_00BD9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC7078 5_2_00BC7078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC7E79 5_2_00BC7E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD567B 5_2_00BD567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDA474 5_2_00BDA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDDC71 5_2_00BDDC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCA871 5_2_00BCA871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE0A64 5_2_00BE0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE3263 5_2_00BE3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD2E5D 5_2_00BD2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD4244 5_2_00BD4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCE640 5_2_00BCE640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDF840 5_2_00BDF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC7442 5_2_00BC7442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDD1BC 5_2_00BDD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCBFBE 5_2_00BCBFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC57B8 5_2_00BC57B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD8FAE 5_2_00BD8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE07AA 5_2_00BE07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC77A3 5_2_00BC77A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC2194 5_2_00BC2194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC238C 5_2_00BC238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCFB8E 5_2_00BCFB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD3D85 5_2_00BD3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD6187 5_2_00BD6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD0F86 5_2_00BD0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC4BFC 5_2_00BC4BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC55FF 5_2_00BC55FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD27F9 5_2_00BD27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDE1F8 5_2_00BDE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD9DF5 5_2_00BD9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD07F4 5_2_00BD07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD67E6 5_2_00BD67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCE7DE 5_2_00BCE7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDFBDE 5_2_00BDFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BDC5D5 5_2_00BDC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD8D3D 5_2_00BD8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC1F38 5_2_00BC1F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD5333 5_2_00BD5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD5515 5_2_00BD5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCEF0C 5_2_00BCEF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE2B09 5_2_00BE2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD5779 5_2_00BD5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC6B7A 5_2_00BC6B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD017B 5_2_00BD017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD437A 5_2_00BD437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD4F74 5_2_00BD4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD9774 5_2_00BD9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCF369 5_2_00BCF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BD7D5B 5_2_00BD7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BE2D53 5_2_00BE2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCD14C 5_2_00BCD14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100291F6 12_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002F378 12_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100403D7 12_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1004250B 12_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10041557 12_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100395A1 12_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002F784 12_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1004091B 12_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002EACF 12_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002FBA4 12_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10035D96 12_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10040E5F 12_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002EFA4 12_2_1002EFA4
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030E38 appears 49 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030535 appears 76 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030E38 appears 116 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1003578B appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030535 appears 174 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030568 appears 32 times
PE file contains strange resources
Source: nIQCsrVbbw.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: nIQCsrVbbw.dll Virustotal: Detection: 15%
Source: nIQCsrVbbw.dll ReversingLabs: Detection: 16%
Source: nIQCsrVbbw.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmp Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@29/14@0/28
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:3876:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6748
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021183 LoadResource,LockResource,SizeofResource, 2_2_10021183
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383845627.00000000035D4000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383476749.0000000005098000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.394941169.0000000000EF2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383589686.00000000035DA000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb= source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source: nIQCsrVbbw.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nIQCsrVbbw.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nIQCsrVbbw.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nIQCsrVbbw.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nIQCsrVbbw.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003060D push ecx; ret 2_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003060D push ecx; ret 3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030E7D push ecx; ret 3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BC1195 push cs; iretd 5_2_00BC1197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003060D push ecx; ret 12_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10030E7D push ecx; ret 12_2_10030E90
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
PE file contains an invalid checksum
Source: nIQCsrVbbw.dll Static PE information: real checksum: 0x970bf should be: 0x943a9
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ejank\xjmldn.gsl:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 12_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 12_2_1001DFC0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 3144 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6908 Thread sleep time: -30000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.0 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.17.dr Binary or memory string: VMware
Source: Amcache.hve.17.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.17.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001B.00000002.827552655.0000023AC8E60000.00000004.00000001.sdmp Binary or memory string: y_Event$@Hyper-V RAW2d-4c2f-a0a5-91ba6f8f5c2f}LMEM
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.17.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr Binary or memory string: VMware7,1
Source: Amcache.hve.17.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000017.00000002.488004797.000001D8FA2EF000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.487873057.000001D8FA284000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.487235003.000001D8FA257000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.487824691.000001D8FA258000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.826608694.0000023AC362A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827535646.0000023AC8E4A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.17.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.17.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 2_2_10002D40
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00BCF7F7 mov eax, dword ptr fs:[00000030h] 5_2_00BCF7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_10032CB9

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 2_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 2_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 3_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 3_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 12_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 12_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 12_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 12_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 12_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 12_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 12_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 12_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 12_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 12_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 12_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 12_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 12_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 12_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 12_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 12_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 12_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1003732F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024F01 _memset,GetVersionExA, 3_2_10024F01

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.17.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 5.2.rundll32.exe.4860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5380000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.51c0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1270000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5320000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.11d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.12a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5090000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1270000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1140000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5060000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1170000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5350000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5350000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1390000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5190000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4b70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1390000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4860000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.11d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5060000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5190000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56c0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56f0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 12_2_10001160