Windows Analysis Report PtBIxmYbK8.dll

Overview

General Information

Sample Name: PtBIxmYbK8.dll
Analysis ID: 553387
MD5: cdf3dc30cd25f5dc97c5f7b9c2d1abe5
SHA1: 2e60ddf31429088419bdd186f10ff5e2d437236c
SHA256: 9b571f59abe91b0684fec7bc2311225630ee92c647cd91f37847cd5f8f1dc85c
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 8.2.rundll32.exe.4bc0000.5.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: PtBIxmYbK8.dll Virustotal: Detection: 15% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: PtBIxmYbK8.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305787983.0000000004D37000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.306197869.0000000003223000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305884024.0000000003223000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.320300111.0000000002EB2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310279384.0000000005195000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.306329684.000000000321D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305873147.000000000321D000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310279384.0000000005195000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.306056486.0000000003229000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305888368.0000000003229000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.306056486.0000000003229000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305888368.0000000003229000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.306197869.0000000003223000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305884024.0000000003223000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.306329684.000000000321D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305873147.000000000321D000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 0000001A.00000003.453009043.0000023177787000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001A.00000003.453009043.0000023177787000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001A.00000003.453009043.0000023177787000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.453039278.0000023177798000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.453009043.0000023177787000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.453039278.0000023177798000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.453009043.0000023177787000.00000004.00000001.sdmp String found in binary or memory: attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,
Source: svchost.exe, 0000001A.00000003.453009043.0000023177787000.00000004.00000001.sdmp String found in binary or memory: attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,
Source: svchost.exe, 0000001A.00000002.472723028.0000023177700000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001A.00000002.472481866.0000023176EE7000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.18.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000001A.00000003.441248860.0000023177791000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.443775997.0000023177777000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441382268.00000231777B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441129492.000002317776C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441267741.000002317776D000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441353106.00000231777D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441319649.000002317779B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441399080.0000023177C02000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441299535.000002317777F000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000001A.00000002.472756328.000002317771F000.00000004.00000001.sdmp String found in binary or memory: http://schemas.microft8
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000001A.00000003.441248860.0000023177791000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.443775997.0000023177777000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441382268.00000231777B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441129492.000002317776C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441267741.000002317776D000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441353106.00000231777D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441319649.000002317779B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441399080.0000023177C02000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441299535.000002317777F000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001A.00000003.441248860.0000023177791000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.443775997.0000023177777000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441382268.00000231777B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441129492.000002317776C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441267741.000002317776D000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441353106.00000231777D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441319649.000002317779B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441399080.0000023177C02000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441299535.000002317777F000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001A.00000003.441248860.0000023177791000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.443775997.0000023177777000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441382268.00000231777B1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441129492.000002317776C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441267741.000002317776D000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441353106.00000231777D1000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441319649.000002317779B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441399080.0000023177C02000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.441299535.000002317777F000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001A.00000003.445321406.000002317777F000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.446551226.000002317777F000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.446523607.0000023177C02000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10001280 recvfrom, 6_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 6_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 7_2_10027958

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.49b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4c00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b70000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4bd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b90000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cf0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4bc0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.29c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.3250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4ba0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.4b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d50000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.loaddll32.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cf0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d20000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d50000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4bd0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.loaddll32.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4750000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ad0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.345243637.0000000004BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344911121.0000000004591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385135770.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345163882.0000000004AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385727612.0000000004B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.346835949.00000000049B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.301361831.00000000010D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.292884938.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.325185349.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.346349668.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345117733.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345389551.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385657332.0000000004AB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385833414.0000000004BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.301328959.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.292946530.0000000004B91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.299739915.00000000010D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345356242.0000000004D21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344514792.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345313925.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.335991032.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.299543600.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.336442645.0000000004751000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.325240760.00000000010D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345214624.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385786113.0000000004BA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.384990047.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385594738.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385904649.0000000004C01000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: PtBIxmYbK8.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6048 -ip 6048
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Mjuakgeb\fhtvflqppfnv.wdg:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Mjuakgeb\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EEFDD 3_2_010EEFDD
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DEF0C 3_2_010DEF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F2B09 3_2_010F2B09
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D670B 3_2_010D670B
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EAD08 3_2_010EAD08
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E5515 3_2_010E5515
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E8D3D 3_2_010E8D3D
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D1F38 3_2_010D1F38
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E5333 3_2_010E5333
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DD14C 3_2_010DD14C
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E654A 3_2_010E654A
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E2142 3_2_010E2142
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E7D5B 3_2_010E7D5B
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EFF58 3_2_010EFF58
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EE955 3_2_010EE955
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F2D53 3_2_010F2D53
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DF369 3_2_010DF369
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E017B 3_2_010E017B
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E5779 3_2_010E5779
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D6B7A 3_2_010D6B7A
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E4F74 3_2_010E4F74
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E9774 3_2_010E9774
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D238C 3_2_010D238C
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DFB8E 3_2_010DFB8E
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E0F86 3_2_010E0F86
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E6187 3_2_010E6187
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E3D85 3_2_010E3D85
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D2194 3_2_010D2194
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E8FAE 3_2_010E8FAE
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F07AA 3_2_010F07AA
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D77A3 3_2_010D77A3
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010ED1BC 3_2_010ED1BC
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F17BD 3_2_010F17BD
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DBFBE 3_2_010DBFBE
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D57B8 3_2_010D57B8
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DE7DE 3_2_010DE7DE
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DC5D8 3_2_010DC5D8
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EC5D5 3_2_010EC5D5
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E67E6 3_2_010E67E6
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E85FF 3_2_010E85FF
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D4BFC 3_2_010D4BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D55FF 3_2_010D55FF
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EE1F8 3_2_010EE1F8
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E9DF5 3_2_010E9DF5
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E7A0F 3_2_010E7A0F
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F2009 3_2_010F2009
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E8806 3_2_010E8806
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E9A01 3_2_010E9A01
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DB820 3_2_010DB820
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D8636 3_2_010D8636
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D3431 3_2_010D3431
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DA445 3_2_010DA445
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E4244 3_2_010E4244
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DE640 3_2_010DE640
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EF840 3_2_010EF840
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D7442 3_2_010D7442
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E2E5D 3_2_010E2E5D
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EB257 3_2_010EB257
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E4A66 3_2_010E4A66
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F0A64 3_2_010F0A64
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F3263 3_2_010F3263
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D7E79 3_2_010D7E79
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D7078 3_2_010D7078
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E567B 3_2_010E567B
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DDE74 3_2_010DDE74
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EA474 3_2_010EA474
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DA871 3_2_010DA871
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EDC71 3_2_010EDC71
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E3EAA 3_2_010E3EAA
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DBAA9 3_2_010DBAA9
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F36AA 3_2_010F36AA
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EA2A5 3_2_010EA2A5
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D1CA1 3_2_010D1CA1
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F46BD 3_2_010F46BD
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E0EBC 3_2_010E0EBC
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E0ABA 3_2_010E0ABA
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DC6B8 3_2_010DC6B8
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D80C0 3_2_010D80C0
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010ED8DB 3_2_010ED8DB
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010ECCD9 3_2_010ECCD9
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010ECAD5 3_2_010ECAD5
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F00EF 3_2_010F00EF
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DF0E9 3_2_010DF0E9
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010F3EE9 3_2_010F3EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EE4E5 3_2_010EE4E5
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010EBEFD 3_2_010EBEFD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_100291F6 6_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002F378 6_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_100403D7 6_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1004250B 6_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10041557 6_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_100395A1 6_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002F784 6_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1004091B 6_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002EACF 6_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002FBA4 6_2_1002FBA4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10035D96 6_2_10035D96
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10040E5F 6_2_10040E5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002EFA4 6_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100291F6 7_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002F378 7_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100403D7 7_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1004250B 7_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10041557 7_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100395A1 7_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002F784 7_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1004091B 7_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002EACF 7_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002FBA4 7_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10035D96 7_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10040E5F 7_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002EFA4 7_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AB257 8_2_045AB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459DE74 8_2_0459DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A4A66 8_2_045A4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B2009 8_2_045B2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A7A0F 8_2_045A7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04598636 8_2_04598636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AFF58 8_2_045AFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AE955 8_2_045AE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A654A 8_2_045A654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A2142 8_2_045A2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459670B 8_2_0459670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AAD08 8_2_045AAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459C5D8 8_2_0459C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AEFDD 8_2_045AEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A85FF 8_2_045A85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B17BD 8_2_045B17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A2E5D 8_2_045A2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459E640 8_2_0459E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AF840 8_2_045AF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04597442 8_2_04597442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459A445 8_2_0459A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A4244 8_2_045A4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04597E79 8_2_04597E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04597078 8_2_04597078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A567B 8_2_045A567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459A871 8_2_0459A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045ADC71 8_2_045ADC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AA474 8_2_045AA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B3263 8_2_045B3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B0A64 8_2_045B0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A9A01 8_2_045A9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A8806 8_2_045A8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04593431 8_2_04593431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459B820 8_2_0459B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AD8DB 8_2_045AD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045ACCD9 8_2_045ACCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045ACAD5 8_2_045ACAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045980C0 8_2_045980C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045ABEFD 8_2_045ABEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459F0E9 8_2_0459F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B3EE9 8_2_045B3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B00EF 8_2_045B00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AE4E5 8_2_045AE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A0ABA 8_2_045A0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459C6B8 8_2_0459C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B46BD 8_2_045B46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A0EBC 8_2_045A0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A3EAA 8_2_045A3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459BAA9 8_2_0459BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B36AA 8_2_045B36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04591CA1 8_2_04591CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AA2A5 8_2_045AA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A7D5B 8_2_045A7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B2D53 8_2_045B2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459D14C 8_2_0459D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A437A 8_2_045A437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A017B 8_2_045A017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A5779 8_2_045A5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04596B7A 8_2_04596B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A4F74 8_2_045A4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A9774 8_2_045A9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459F369 8_2_0459F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A5515 8_2_045A5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B2B09 8_2_045B2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459EF0C 8_2_0459EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04591F38 8_2_04591F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A8D3D 8_2_045A8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A5333 8_2_045A5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AFBDE 8_2_045AFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459E7DE 8_2_0459E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AC5D5 8_2_045AC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AE1F8 8_2_045AE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A27F9 8_2_045A27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04594BFC 8_2_04594BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045955FF 8_2_045955FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A07F4 8_2_045A07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A9DF5 8_2_045A9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A67E6 8_2_045A67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04592194 8_2_04592194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459238C 8_2_0459238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459FB8E 8_2_0459FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A0F86 8_2_045A0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A6187 8_2_045A6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A3D85 8_2_045A3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045957B8 8_2_045957B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045AD1BC 8_2_045AD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459BFBE 8_2_0459BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045B07AA 8_2_045B07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045A8FAE 8_2_045A8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_045977A3 8_2_045977A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDDE74 15_2_02DDDE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE4A66 15_2_02DE4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE7A0F 15_2_02DE7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF2009 15_2_02DF2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD8636 15_2_02DD8636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEEFDD 15_2_02DEEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDC5D8 15_2_02DDC5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEFF58 15_2_02DEFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE654A 15_2_02DE654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE2142 15_2_02DE2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD670B 15_2_02DD670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEAD08 15_2_02DEAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DED8DB 15_2_02DED8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DECCD9 15_2_02DECCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DECAD5 15_2_02DECAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD80C0 15_2_02DD80C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEBEFD 15_2_02DEBEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF00EF 15_2_02DF00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDF0E9 15_2_02DDF0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF3EE9 15_2_02DF3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEE4E5 15_2_02DEE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF46BD 15_2_02DF46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE0EBC 15_2_02DE0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE0ABA 15_2_02DE0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDC6B8 15_2_02DDC6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE3EAA 15_2_02DE3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDBAA9 15_2_02DDBAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF36AA 15_2_02DF36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEA2A5 15_2_02DEA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD1CA1 15_2_02DD1CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE2E5D 15_2_02DE2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEB257 15_2_02DEB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDA445 15_2_02DDA445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE4244 15_2_02DE4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDE640 15_2_02DDE640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEF840 15_2_02DEF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD7442 15_2_02DD7442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD7E79 15_2_02DD7E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD7078 15_2_02DD7078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE567B 15_2_02DE567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEA474 15_2_02DEA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDA871 15_2_02DDA871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEDC71 15_2_02DEDC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF0A64 15_2_02DF0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF3263 15_2_02DF3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE8806 15_2_02DE8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE9A01 15_2_02DE9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD3431 15_2_02DD3431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDB820 15_2_02DDB820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEFBDE 15_2_02DEFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDE7DE 15_2_02DDE7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEC5D5 15_2_02DEC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE85FF 15_2_02DE85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD4BFC 15_2_02DD4BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD55FF 15_2_02DD55FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEE1F8 15_2_02DEE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE27F9 15_2_02DE27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE07F4 15_2_02DE07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE9DF5 15_2_02DE9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE67E6 15_2_02DE67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD2194 15_2_02DD2194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD238C 15_2_02DD238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDFB8E 15_2_02DDFB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE0F86 15_2_02DE0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE6187 15_2_02DE6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE3D85 15_2_02DE3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DED1BC 15_2_02DED1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF17BD 15_2_02DF17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDBFBE 15_2_02DDBFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD57B8 15_2_02DD57B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE8FAE 15_2_02DE8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF07AA 15_2_02DF07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD77A3 15_2_02DD77A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE7D5B 15_2_02DE7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DEE955 15_2_02DEE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF2D53 15_2_02DF2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDD14C 15_2_02DDD14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE437A 15_2_02DE437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE017B 15_2_02DE017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE5779 15_2_02DE5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD6B7A 15_2_02DD6B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE4F74 15_2_02DE4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE9774 15_2_02DE9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDF369 15_2_02DDF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE5515 15_2_02DE5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDEF0C 15_2_02DDEF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DF2B09 15_2_02DF2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE8D3D 15_2_02DE8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD1F38 15_2_02DD1F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DE5333 15_2_02DE5333
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030535 appears 87 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030535 appears 87 times
PE file contains strange resources
Source: PtBIxmYbK8.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: PtBIxmYbK8.dll Virustotal: Detection: 15%
Source: PtBIxmYbK8.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6048 -ip 6048
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 512
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mjuakgeb\fhtvflqppfnv.wdg",DvMDRtCzK
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mjuakgeb\fhtvflqppfnv.wdg",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 512 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mjuakgeb\fhtvflqppfnv.wdg",DvMDRtCzK Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6048 -ip 6048 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 512 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mjuakgeb\fhtvflqppfnv.wdg",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DF2.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@32/11@0/27
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4848:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6620:64:WilError_01
Source: C:\Windows\System32\SgrmBroker.exe Mutant created: \BaseNamedObjects\Local\SM0:7136:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6048
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10021183 LoadResource,LockResource,SizeofResource, 6_2_10021183
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305787983.0000000004D37000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.306197869.0000000003223000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305884024.0000000003223000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.320300111.0000000002EB2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310279384.0000000005195000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.306329684.000000000321D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305873147.000000000321D000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310279384.0000000005195000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.306056486.0000000003229000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305888368.0000000003229000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000D.00000003.310197280.0000000005192000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.310272488.0000000005190000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.306056486.0000000003229000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305888368.0000000003229000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.306197869.0000000003223000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305884024.0000000003223000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.310285213.0000000005198000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.310219778.0000000005198000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.310178934.0000000005051000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.306329684.000000000321D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.305873147.000000000321D000.00000004.00000001.sdmp
Source: PtBIxmYbK8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PtBIxmYbK8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PtBIxmYbK8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PtBIxmYbK8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PtBIxmYbK8.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010D1195 push cs; iretd 3_2_010D1197
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E08E0 push esp; iretd 3_2_010E08E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1003060D push ecx; ret 6_2_10030620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10030E7D push ecx; ret 6_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1003060D push ecx; ret 7_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10030E7D push ecx; ret 7_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04591195 push cs; iretd 8_2_04591197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DD1195 push cs; iretd 15_2_02DD1197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 6_2_1003E278
PE file contains an invalid checksum
Source: PtBIxmYbK8.dll Static PE information: real checksum: 0x970bf should be: 0x91160
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Mjuakgeb\fhtvflqppfnv.wdg Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mjuakgeb\fhtvflqppfnv.wdg:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bryfb\ermkapknuabuy.jmo:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 6_2_100250A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 6_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 7_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 7_2_1001DFC0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1756 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.0 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.13.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: VMware7,1
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 0000001A.00000002.472383830.0000023176E82000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.472481866.0000023176EE7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.13.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_1002DB0D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 6_2_1003E278
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 6_2_10002D40
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010DF7F7 mov eax, dword ptr fs:[00000030h] 3_2_010DF7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0459F7F7 mov eax, dword ptr fs:[00000030h] 8_2_0459F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_02DDF7F7 mov eax, dword ptr fs:[00000030h] 15_2_02DDF7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 3_2_010E2142 LdrInitializeThunk, 3_2_010E2142
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10032CB9

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6048 -ip 6048 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 512 Jump to behavior
Source: loaddll32.exe, 00000003.00000000.301396427.0000000001140000.00000002.00020000.sdmp, loaddll32.exe, 00000003.00000000.299879733.0000000001140000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000003.00000000.301396427.0000000001140000.00000002.00020000.sdmp, loaddll32.exe, 00000003.00000000.299879733.0000000001140000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000003.00000000.301396427.0000000001140000.00000002.00020000.sdmp, loaddll32.exe, 00000003.00000000.299879733.0000000001140000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000003.00000000.301396427.0000000001140000.00000002.00020000.sdmp, loaddll32.exe, 00000003.00000000.299879733.0000000001140000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 6_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 6_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 6_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 6_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 6_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 6_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 6_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 6_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 6_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 6_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 6_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 6_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 6_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 6_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 6_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 6_2_1003DD07
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 6_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 7_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 7_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 7_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 7_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 7_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 7_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 7_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 7_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 7_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 7_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 7_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 7_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 7_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 7_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 7_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 7_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 7_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_1003732F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10024F01 _memset,GetVersionExA, 6_2_10024F01

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.LOG1.13.dr, Amcache.hve.13.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000002.00000002.681136636.000001D8FEA3D000.00000004.00000001.sdmp Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000002.00000002.681096557.000001D8FEA13000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.681175010.000001D8FEB02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.13.dr, Amcache.hve.13.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 17.2.rundll32.exe.49b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4c00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b70000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4bd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b90000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cf0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4bc0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.29c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.3250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4ba0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.4b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4b90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4a90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d50000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.loaddll32.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4cf0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d20000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d50000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4bd0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4b70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.loaddll32.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4750000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.loaddll32.exe.10d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ad0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4a30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.345243637.0000000004BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344911121.0000000004591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385135770.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345163882.0000000004AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385727612.0000000004B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.346835949.00000000049B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.301361831.00000000010D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.292884938.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.325185349.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.346349668.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345117733.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345389551.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385657332.0000000004AB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385833414.0000000004BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.301328959.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.292946530.0000000004B91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.299739915.00000000010D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345356242.0000000004D21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344514792.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345313925.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.335991032.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.299543600.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.336442645.0000000004751000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.325240760.00000000010D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345214624.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385786113.0000000004BA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.384990047.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385594738.0000000004A30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.385904649.0000000004C01000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 6_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 7_2_10001160